Former CIO urges enterprises towards PCI compliance
- 14 April, 2011 12:45
Australian banks may have been working through their own Payment Card Industry Data Security Standard (PCI DSS) compliance issues, but that won’t stop them from fining business merchants from failing to meet the terms of the security initiative, according to an industry specialist.
PCI DSS was created by Visa, MasterCard and other major credit card brands and is administered by the PCI Security Standards Council.
All companies that accept payment cards are required to implement the 12 high-level security controls prescribed by the standard in order to help mitigate credit card fraud. Larger companies face significantly tougher compliance requirements than smaller firms.
Level 1 merchants — companies that process more than six million credit card transactions a year — must engage a qualified security assessor.
Mark Lewis, the Australia New Zealand director for payment solutions company, IP Payments, said some local banks were still working towards the standard.
"One of the key reasons is that some of the banks will send out credit card numbers in full on statements to card holders and that in itself does not comply with one of the controls set out by the PCI Security Council," he said.
According to Lewis, a few banks have struggled with legacy applications and platforms, although he admitted he did not know how far the affected banks were from compliance.
On the enterprise front, he said recent data breaches in Australia had resulted in greater awareness of PCI standards. In February 2011, cosmetics company Lush was forced to shut down its website following attacks by hackers. At the time, the company advised customers to cancel their credit cards. Lewis, a former chief information officer at UK-based card payments company, Cosmos, said local CIOs and CFOs were not completely up to speed with compliance.
"It's a big challenge because some CIOs need to become familiar with the meaning of PCI, the ongoing costs and the ramifications of acquiring those skills inhouse versus bringing in an external provider to run compliance as a managed service," he said.
Many organisations Lewis works with are in the process of analysing their internal environments to understand where credit card data is kept and how it could be properly secured.
"The banks are becoming much more diligent in enforcing the standards and announcing that the deadlines for compliance have passed," he said.
"Therefore, any fines that are the result of a breach will be handed down to these organisations."
The compliance deadline passed more than 12 months ago.
"I don't know of fines that have been issued but the banks have outlined that it will happen," Lewis said.
Look to smartphones in the futureIn future banks and merchants will need to look at near field communications (NFC) technology where consumers will use smartphones pay for goods and services.
Similar wireless communications were trialled locally between ANZ and Visa during March.
"I believe the iPhone 5 will contain a chip which will allow the phone to be swiped at point of sale terminals. Once the customer base has that device in its hands, I think it will be adopted very quickly," he said.
"At the end of the day it appears to be a very convenient mechanism to pay."
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
12 Tips to Boost Post-Holiday Sales
Updated: Bill Morrow new head of NBN Co
Cloud debate now about speed and sophistication
Cloud debate now about speed and sophistication
Yahoo Mail still down for some users, after an attempted fix
Deliver Protection and Elasticity for your Network
IT teams are constantly being asked to increase overall IT flexibility and business agility by incorporating emerging cloud technologies into their data centre architecture. The question is, how do you embed this elasticity whilst handling the increasingly unpredictable traffic load and maintain strict performance level agreements? Find out how to satisfy these often opposing goals within larger data centre infrastructure and increase capacity and performance as conditions dictate.
SaaS and Cloud ERP Observations
Organizations are more willing now than ever before to consider Cloud and SaaS ERP deployment models. As a growing company it is critical that you have a deployment model that best fits your requirements for cost, scalability and flexibility. In this whitepaper, we look at the increased willingness of organisations to consider the SaaS model for their ERP solutions; current ERP deployment statistics, and why SaaS may be attractive to smaller companies.
Managing Web Security in an Increasingly Challenging Threat Landscape
Cybercriminals have increasingly turned their attention to the web, which has become by far the predominant area of attack. Those who would do harm to our computer systems for profit or malice always manage to focus their efforts on our most vulnerable weak spots. Today, that is the web, for a wide number of reasons. Download to find out why and what you can do to protect yourself.