Former CIO urges enterprises towards PCI compliance
- 14 April, 2011 12:45
Australian banks may have been working through their own Payment Card Industry Data Security Standard (PCI DSS) compliance issues, but that won’t stop them from fining business merchants from failing to meet the terms of the security initiative, according to an industry specialist.
PCI DSS was created by Visa, MasterCard and other major credit card brands and is administered by the PCI Security Standards Council.
All companies that accept payment cards are required to implement the 12 high-level security controls prescribed by the standard in order to help mitigate credit card fraud. Larger companies face significantly tougher compliance requirements than smaller firms.
Level 1 merchants — companies that process more than six million credit card transactions a year — must engage a qualified security assessor.
Mark Lewis, the Australia New Zealand director for payment solutions company, IP Payments, said some local banks were still working towards the standard.
"One of the key reasons is that some of the banks will send out credit card numbers in full on statements to card holders and that in itself does not comply with one of the controls set out by the PCI Security Council," he said.
According to Lewis, a few banks have struggled with legacy applications and platforms, although he admitted he did not know how far the affected banks were from compliance.
On the enterprise front, he said recent data breaches in Australia had resulted in greater awareness of PCI standards. In February 2011, cosmetics company Lush was forced to shut down its website following attacks by hackers. At the time, the company advised customers to cancel their credit cards. Lewis, a former chief information officer at UK-based card payments company, Cosmos, said local CIOs and CFOs were not completely up to speed with compliance.
"It's a big challenge because some CIOs need to become familiar with the meaning of PCI, the ongoing costs and the ramifications of acquiring those skills inhouse versus bringing in an external provider to run compliance as a managed service," he said.
Many organisations Lewis works with are in the process of analysing their internal environments to understand where credit card data is kept and how it could be properly secured.
"The banks are becoming much more diligent in enforcing the standards and announcing that the deadlines for compliance have passed," he said.
"Therefore, any fines that are the result of a breach will be handed down to these organisations."
The compliance deadline passed more than 12 months ago.
"I don't know of fines that have been issued but the banks have outlined that it will happen," Lewis said.
Look to smartphones in the futureIn future banks and merchants will need to look at near field communications (NFC) technology where consumers will use smartphones pay for goods and services.
Similar wireless communications were trialled locally between ANZ and Visa during March.
"I believe the iPhone 5 will contain a chip which will allow the phone to be swiped at point of sale terminals. Once the customer base has that device in its hands, I think it will be adopted very quickly," he said.
"At the end of the day it appears to be a very convenient mechanism to pay."
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Some Australian businesses 'unlikely' to be ready for Privacy Act changes: survey
- BYOA 'shadow IT' grows in the enterprise: Telsyte
- Cost of a Privacy Act breach could extend to ongoing audits: legal expert
- How Hunter Water is saving $50k a year in software licences
- Audit agency does BYOD with BlackBerry
Trust issue looms large for tech companies capitalizing on personal data
5 women who've made it in IT
Five trends affecting legal CIOs
CIO Roundtable: The changing face of security
Bitcoin malware count soars as cryptocurrency value climbs
Keeping up with an Increasingly Sophisticated Threat Environment
Relying on traditional signature based Anti Virus alone is simply not sufficient to prevent today’s onslaught of new, sophisticated and advanced malware. This whitepaper describes in detail, some trends and statistics on the malware detection, it then introduces a multi-vector approach to accurately detect malware in the IT environment, and verify that existing anti malware already deployed are functioning optimally.
Pathways Advanced ICT Leadership Development Program Course Outline and Big 6 2013
Developed by the CIO executive Council in conjunction with Rob Livingstone Advisory, Pathways Advanced is a 12-month CIO delivered, small group, mentor based professional leadership development program. Pathways Advanced brings together best practice, thought leadership and business insights for today’s most promising ICT professionals
Case Study: The True Value of Conference Calling
In a study by the University of Bradford study, we look at the benefits of a strong telepresence and how organisations can become faster, more focused and environmentally responsible. Click to download!