Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Former CIO urges enterprises towards PCI compliance

Australian organisations still struggling, says IP Payments' Mark Lewis

Australian banks may have been working through their own Payment Card Industry Data Security Standard (PCI DSS) compliance issues, but that won’t stop them from fining business merchants from failing to meet the terms of the security initiative, according to an industry specialist.

PCI DSS was created by Visa, MasterCard and other major credit card brands and is administered by the PCI Security Standards Council.

All companies that accept payment cards are required to implement the 12 high-level security controls prescribed by the standard in order to help mitigate credit card fraud. Larger companies face significantly tougher compliance requirements than smaller firms.

Level 1 merchants — companies that process more than six million credit card transactions a year — must engage a qualified security assessor.

Mark Lewis, the Australia New Zealand director for payment solutions company, IP Payments, said some local banks were still working towards the standard.

"One of the key reasons is that some of the banks will send out credit card numbers in full on statements to card holders and that in itself does not comply with one of the controls set out by the PCI Security Council," he said.

According to Lewis, a few banks have struggled with legacy applications and platforms, although he admitted he did not know how far the affected banks were from compliance.

On the enterprise front, he said recent data breaches in Australia had resulted in greater awareness of PCI standards. In February 2011, cosmetics company Lush was forced to shut down its website following attacks by hackers. At the time, the company advised customers to cancel their credit cards. Lewis, a former chief information officer at UK-based card payments company, Cosmos, said local CIOs and CFOs were not completely up to speed with compliance.

"It's a big challenge because some CIOs need to become familiar with the meaning of PCI, the ongoing costs and the ramifications of acquiring those skills inhouse versus bringing in an external provider to run compliance as a managed service," he said.

Many organisations Lewis works with are in the process of analysing their internal environments to understand where credit card data is kept and how it could be properly secured.

"The banks are becoming much more diligent in enforcing the standards and announcing that the deadlines for compliance have passed," he said.

"Therefore, any fines that are the result of a breach will be handed down to these organisations."

The compliance deadline passed more than 12 months ago.

"I don't know of fines that have been issued but the banks have outlined that it will happen," Lewis said.

Look to smartphones in the future

In future banks and merchants will need to look at near field communications (NFC) technology where consumers will use smartphones pay for goods and services.

Similar wireless communications were trialled locally between ANZ and Visa during March.

"I believe the iPhone 5 will contain a chip which will allow the phone to be swiped at point of sale terminals. Once the customer base has that device in its hands, I think it will be adopted very quickly," he said.

"At the end of the day it appears to be a very convenient mechanism to pay."

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow CIO Australia on Twitter: @CIO_Australia

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ANZ, NFC, Visa
References show all
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: PCI compliance regulation, Mark Lewis, PCI compliance, enterprise, banks, IP Payments
Latest Blog Posts
Whitepapers
  • Software Defined Protection - The Enterprise Security Blueprint
    In a world with high-demanding IT infrastructures and networks, where perimeters are no longer well defined and where threats grow more intelligent every day, we need to define the right way to protect enterprises in the ever-changing threat landscape. Download today to define your security blueprint.
    Learn more »
  • The Three Essential Steps to Successful Cloud Migration
    Businesses and enterprises have quickly realised the power and efficiency of cloud computing, but migrating to the cloud can be a challenging process. This guide leads you through the three key steps you should take to assess your workload, select the most appropriate cloud model and ensure your cloud provider’s migration methodology stacks up.
    Learn more »
  • Is Your IT Infrastructure Keeping Up?
    This helpful infographic demonstrates how, when IT is the backbone of modern business, a converged infrastructure system can solve the challenge of cost, complexity, availability, rapid provisioning and flexibility.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Salary Calculator

Supplied by

View the full Peoplebank ICT Salary & Employment Index

Recent comments