|
PCI/DSS and e-commerce - time is running out
Time is running out for organisations that handle credit card payments to make their systems compliant with a new security standard, experts have warned.
In less than one month, the Payment Card Industry, which represents credit card companies, will bring in the PCI Data Security Standard (DSS) to help safeguard customer data. But there are fears that many smaller retailers, in particular, will not be ready for the 30 June deadline and could face fines. Firms with large numbers of transactions are required to monitor closely all access to stored credit card information, and they can be audited quarterly at a cost of up to £10,000 a time to ensure best practice is adhered to.
The PCI DSS was developed in January 2005 by Visa and MasterCard to compel businesses that process payment card data to meet 12 security standards. It sets requirements for the monitoring and storage of credit card information to four levels of security, depending on the volume of credit card transactions being handled.
But retailers only began to get to grips with the standard last year, following a series of high-profile leaks of confidential credit card data, including the loss of 45 million credit card details from US retailer TJX.
In summary, the key guidelines are:
* Install and maintain a firewall configuration to protect data
* Do not use vendor-supplied defaults for passwords or other security parameters
* Protect stored data
* Encrypt the transmission of cardholder data and sensitive information
* Use and regularly update anti-virus software
* Develop and maintain securer systems and applications
* Restrict access to data by business need-to-know
* Assign a unique ID to each person with computer access
* Restrict physical access to cardholder data
* Track and monitor all access to network resources and cardholder data
* Regularly test security systems and processes
* Maintain a policy that addresses information security
The UK's largest retailer, Tesco, told Computer Weekly recently that it had been working on PCI DSS compliance for the past 18 months to ensure it was prepared for the change. Nick Mourant, group treasurer at Tesco, said the firm had completed a gap analysis of its current configurations and had undertaken a risk assessment around any shortcomings. He said Tesco was confident that any gaps in its PCI DSS compliance would be addressed over the course of the retailer's normal software refresh cycle.
John Lewis said it had appointed a project manager and had identified areas where work was required to meet the requirements of the PCI DSS. "We are in the process of producing a detailed implementation plan," a spokeswoman said.
Seana Pitt, chair of the PCI Security Standards Council, said, "Everyone has a role to play in keeping sensitive payment data secure." She urged retailers to be aware of where credit card data was being stored, and to eliminate non-essential data.
"Retailers should look to ensure that sensitive authentication data is not stored in their systems. They should scope their system to know where their data resides, become familiar with the PCI DSS and create action plans to become compliant," said Pitt.
Andrew McClelland, director of projects at online retailers trade body IMRG, said, "Everyone accepts the need for a standard, but PCI DSS is an extremely large and complex project."
At Pindar Screen Pages, we have been working with One-SEC to plan and achieve compliance for all our client merchants. This involved an external consultancy and audit project, which produced detailed recommendations and an implementation plan for individual websites (from a software and database perspective), as well as significant network infrastructure and support systems work. This project is well advanced to achieve full compliance for us as a service provider by June/July and for all our merchants on a similar time zone.
For more information and lots of downloadable material, see:
http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp
|
