Retailers could be hit with hefty fines if they fail to comply with new data security standards due to come into force next month, experts are warning.
The payment card industry (PCI), which represents credit card companies such as Visa and MasterCard, is introducing the PCI Data Security Standards (PCI DSS) to ensure that businesses handling credit card payments protect customer data.
The standards are designed to prevent data breaches such as that suffered over several years by clothing retailer TK Maxx (Computing, 25 January).
PCI DSS sets 12 requirements for monitoring and storing credit card details, from maintaining a secure network to encrypting and restricting access to data, and will require some firms to make changes to network architecture and software design.
Supermarket giant Tesco has recently appointed a qualified security assessor to ensure it meets the PCI DSS requirements.
Tesco has been working on PCI compliance for 18 months, completing an analysis of its systems to identify any gaps in meeting the 12 requirements.
‘We have undertaken a risk assessment of the gaps and have a plan to address the issues, but it will be over the course of our normal software refresh cycle,’ said a Tesco spokesman.
Marks & Spencer has been working since April last year to implement systems to ensure compliance with the latest PCI security standards.
‘Marks & Spencer has always given the protection of customers’ card information the highest importance,’ said a spokeswoman.
But although many large retailers have plans in place to meet the 30 June deadline, some smaller retailers are not ready, says Forrester Research senior analyst Thomas Raschke.
‘All retailers should have established a plan for compliance with PCI DSS, bu t there are so many regulatory requirements facing retailers, many are just not prepared,’ he said.
‘As with many issues of compliance, the smaller guys are playing catch-up as they do not have the same in-house resources, focus and vision.’
But all retailers should intensify their preparations, says Raschke, because failure to comply could damage reputation.
Butler Group senior analyst Andrew Kellett says many retailers will miss the deadline, just as many failed to implement chip-and-PIN technology in time for last year’s deadline.
‘Chip-and-PIN was one of the biggest changes in payment card rules and had a clear deadline, but some retailers still missed it,’ he said. ‘Retailers in particular have finite resources to upgrade IT systems, and others may not be able to upgrade as they are part of the way through a refresh cycle.’
PCI Data deadline
- The PCI Data Security Standard will come into effect on 30 June.
- Retailers can avoid a fine for non-compliance if they have undertaken risk analysis.
Post your comment
Send an email to the Computing editor at feedback@computing.co.uk
del.icio.us
digg this
reddit!
Scheme has already delivered important benefits but first phase is 18 months late 04 Jul 2008
Storm approaching email market as clouds gather on SaaS provision 04 Jul 2008
Retailer suffers from web downtime for the second time in a month 04 Jul 2008
More news
Cutting fuel costs and improved services high on airline’s agenda 03 Jul 2008
Formula 1 team uses a virtual private network to exchange strategic data with its UK factory 02 Jul 2008
Experts warn that changes could tempt new cyber-squatters 02 Jul 2008 More in depth
Advertising Marketplace
- Enterprise Accounting Solutions
- Business Intelligence Solutions
- Enterprise Content Management (ECM)
- Supply Chain Management
- Enterprise Resource Planning (ERP)
- Project Management Solutions
- Customer Relationship Management (CRM)
- Security Solutions
- Systems Management
- Networking and Communications Solutions
Featured jobs
More job opportunities