Former CIO urges enterprises towards PCI compliance
- 14 April, 2011 12:45
Australian banks may have been working through their own Payment Card Industry Data Security Standard (PCI DSS) compliance issues, but that won’t stop them from fining business merchants from failing to meet the terms of the security initiative, according to an industry specialist.
PCI DSS was created by Visa, MasterCard and other major credit card brands and is administered by the PCI Security Standards Council.
All companies that accept payment cards are required to implement the 12 high-level security controls prescribed by the standard in order to help mitigate credit card fraud. Larger companies face significantly tougher compliance requirements than smaller firms.
Level 1 merchants — companies that process more than six million credit card transactions a year — must engage a qualified security assessor.
Mark Lewis, the Australia New Zealand director for payment solutions company, IP Payments, said some local banks were still working towards the standard.
"One of the key reasons is that some of the banks will send out credit card numbers in full on statements to card holders and that in itself does not comply with one of the controls set out by the PCI Security Council," he said.
According to Lewis, a few banks have struggled with legacy applications and platforms, although he admitted he did not know how far the affected banks were from compliance.
On the enterprise front, he said recent data breaches in Australia had resulted in greater awareness of PCI standards. In February 2011, cosmetics company Lush was forced to shut down its website following attacks by hackers. At the time, the company advised customers to cancel their credit cards. Lewis, a former chief information officer at UK-based card payments company, Cosmos, said local CIOs and CFOs were not completely up to speed with compliance.
"It's a big challenge because some CIOs need to become familiar with the meaning of PCI, the ongoing costs and the ramifications of acquiring those skills inhouse versus bringing in an external provider to run compliance as a managed service," he said.
Many organisations Lewis works with are in the process of analysing their internal environments to understand where credit card data is kept and how it could be properly secured.
"The banks are becoming much more diligent in enforcing the standards and announcing that the deadlines for compliance have passed," he said.
"Therefore, any fines that are the result of a breach will be handed down to these organisations."
The compliance deadline passed more than 12 months ago.
"I don't know of fines that have been issued but the banks have outlined that it will happen," Lewis said.
Look to smartphones in the futureIn future banks and merchants will need to look at near field communications (NFC) technology where consumers will use smartphones pay for goods and services.
Similar wireless communications were trialled locally between ANZ and Visa during March.
"I believe the iPhone 5 will contain a chip which will allow the phone to be swiped at point of sale terminals. Once the customer base has that device in its hands, I think it will be adopted very quickly," he said.
"At the end of the day it appears to be a very convenient mechanism to pay."
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Queensland government to provide 200 services online by 2015
Call Centers Suffer From Big Data Overload
CIO 100: Carsales wins top gong for innovation
How to secure passwords and other critical numbers
Australian National University streamlines IT
The New Disruption for Brands
The new frontier of mobile and social is a game changer, opening new channels in which consumers and brands can interact. This whitepaper details the results of a survey spanning consumers in the US, UK, Singapore and Australia, exploring their expectations of using mobile devices and social media to engage with brands. The results confirm that consumers live across various channels, and as part of their experience there is an expectation of consistency, value and individualised attention. Read more to learn who you’re talking to, what to say and where to say it.
Complexity Ate My Budget
It’s high time we tamed the monster we created! Against a backdrop of sustained and uncontrollable data growth, most of today’s operational problems revolve around backup and recovery. Understanding the hidden costs and implications for data protection strategies is critical, but the complexity of the nebulous and amorphous cloud can make everything hazy. This white paper breaks it down to different dimensions of virtualisation and how to deliver the productivity and flexibility it promises.
Unleashing the Power of Information
If business-relevant information is not well managed, secured and analysed, it can become an underutilized asset or—worst case—a legal and competitive liability. Nearly all of the IT and business executives who responded to a recent survey recognise this risk, and say they understand the importance of having an enterprise information management (EIM) strategy. Find out more on how to reduce costs, improve competitiveness and avoid risk by making information management an enterprisewide strategic priority.