Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Australia lagging in data security compliance: PCI Security Standards Council

Lack of fines and public naming and shaming to blame for Australia's lag in adopting measures to protecti customers from credit card breaches.

A lack of financial penalties and a mandate to publicly admit data breaches may be clouding the real state of credit card payment and customer information security in Australia, according to a senior executive from the Payment Card Industry (PCI) Security Standards Council.

In Australia for the AusCERT conference this week, Bob Russo, general manager at the Security Standards Council, said the industry group had identified Australia as lagging behind in the adoption of its Data Security Standard (DSS) aimed at protecting customers and brand reputations from credit card breaches.

“Australia is one of the countries we have targeted this year to make sure there is awareness here, and better adoption in the area,” he said.

Russo said a major contributor to the lag in DSS adoption was the lack of local laws mandating that an organisation must publicly declare any breaches in the security of its customer records.

"One of the biggest differences between North America and here is that [North Americans] tend to publicise all the breaches we have," he said. "Consequently, there is a lot of awareness in North America, as opposed to Australia, where breaches are not well publicised at all,” he said.

Additionally, a lack of significant fines, levied by financial institutions on their merchants for any breach in the security of customer records, has resulted in there being no impetus for adopting the PCI security standard, Russo said.

“[Merchants] haven’t seen any fines yet, so there is really no ROI there for them when they go to management and say they have to spend money to comply with the [PCI standard],” he said. “As there doesn’t seem to be any reports on [security] compromises, then the ability to affect brand reputation isn’t there.”

However, Russo said it was likely that financial institutions would soon begin levying fines on merchants for non-compliance of the PCI standard.

“Consumers are getting smarter and if they find out their information has been breached by a merchant at some point there is a good possibility that they will not frequent that merchant,” he said. “Merchants should be looking at this as a grace period to get themselves prepared and compliant.”

Internationally, increasing numbers of financial, and related organisations -- such as network providers -- were realising the benefits of the PCI standard, Russo claimed.

When the PCI Council formed in September 2006 it had five core members -- American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa. , Russo says the organisation now has some 500 participating organisations.

“We have found in the US that no merchant who has been compliant has been breached, and if they have been breached they were not compliant at the time of the breach,” Russo said.

See also the Security Standards Council's Six steps towards PCI DSS compliance.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: American Express, CERT, etwork, Visa
References show all

Comments

1

sem

Sat 17/10/2009 - 02:37

Data Protection

I would be curious to know if identity theft is a larger issue in America than it is in Australia. If not, then Australia's government is not doing a very effective job in safeguarding its citizens. Companies are not affected financially if a hacker steals client information to use elsewhere, because unless that hacker is caught, the security breach will never be traced back to the company. It is the government’s job to make it the law that business owners must have quality <a href="http://www.sophos.com">data protection</a> software that keeps client information safe from hackers and criminals. Without this law, businesses have no financial incentive to spend money on data protection software.

2

Bhushan Pal

Thu 24/06/2010 - 23:54

Dear Sem,

Yes, identity theft is a larger issues in America.

2010 U.S. Census: Feds Worried Mass Identity Theft, Lawsuits Could Derail $15 Billion Head Count

Visit the following link to more on this issue

http://www.huffingtonpost.com/2010/04/08/2010-us-census-feds-worri_n_529845.html

I'm sure this is your major concern too. If you would want to know about a solution that GUARANTEES security for any kind of an attack even The Man in the Middle attack for that matter, you can reach me at b.pal@uniken.com

3

Ian

Mon 23/05/2011 - 22:49

Why is it this government site is not secure - www.qld.gov.au should they be obligued to declare PCI Compliance ?

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: data security, pci standard
Latest Blog Posts
Whitepapers
  • Oracle Business Process Analysis Suite
    Careful analysis and continuous optimization of business processes delivers real competitive advantage. Conversely, a random approach to process design negatively impacts a company’s bottom line. This insight is one reason successful companies adopt business process management (BPM) as a way of aligning their business processes with business and customer requirements. Success with BPM eliminates the gap between business strategy and implementation. Business users are empowered to participate in all stages of the business process lifecycle. Closed-loop integration between modeling, execution, and monitoring enables continuous and holistic business process improvement.
    Learn more »
  • Magic Quadrant for Enterprise Disk-Based Backup/Recovery
    While backup is among the oldest, most performed tasks in the data center, the industry is undergoing significant change as organisations accelerate new technology adoption and show a propensity to implement new solutions, in some cases from vendors that are emerging or new to the backup market.
    Learn more »
  • Award-winning unified information security from Clearswift.
    Fully integrated web and email gateway security solution, providing - protection from inbound threats, policy based encryption, and data loss prevention.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments