Pressure on retailers over data compliance

Tesco is one retailer working to meet the PCI DSS deadline

Retailers could be hit with hefty fines if they fail to comply with new data security standards due to come into force next month, experts are warning.

The payment card industry (PCI), which represents credit card companies such as Visa and MasterCard, is introducing the PCI Data Security Standards (PCI DSS) to ensure that businesses handling credit card payments protect customer data.

The standards are designed to prevent data breaches such as that suffered over several years by clothing retailer TK Maxx (Computing, 25 January).

PCI DSS sets 12 requirements for monitoring and storing credit card details, from maintaining a secure network to encrypting and restricting access to data, and will require some firms to make changes to network architecture and software design.

Supermarket giant Tesco has recently appointed a qualified security assessor to ensure it meets the PCI DSS requirements.

Tesco has been working on PCI compliance for 18 months, completing an analysis of its systems to identify any gaps in meeting the 12 requirements.

‘We have undertaken a risk assessment of the gaps and have a plan to address the issues, but it will be over the course of our normal software refresh cycle,’ said a Tesco spokesman.

Marks & Spencer has been working since April last year to implement systems to ensure compliance with the latest PCI security standards.

‘Marks & Spencer has always given the protection of customers’ card information the highest importance,’ said a spokeswoman.

But although many large retailers have plans in place to meet the 30 June deadline, some smaller retailers are not ready, says Forrester Research senior analyst Thomas Raschke.

‘All retailers should have established a plan for compliance with PCI DSS, bu t there are so many regulatory requirements facing retailers, many are just not prepared,’ he said.

‘As with many issues of compliance, the smaller guys are playing catch-up as they do not have the same in-house resources, focus and vision.’

But all retailers should intensify their preparations, says Raschke, because failure to comply could damage reputation.

Butler Group senior analyst Andrew Kellett says many retailers will miss the deadline, just as many failed to implement chip-and-PIN technology in time for last year’s deadline.

‘Chip-and-PIN was one of the biggest changes in payment card rules and had a clear deadline, but some retailers still missed it,’ he said. ‘Retailers in particular have finite resources to upgrade IT systems, and others may not be able to upgrade as they are part of the way through a refresh cycle.’

PCI Data deadline

• The PCI Data Security Standard will come into effect on 30 June.
• Retailers can avoid a fine for non-compliance if they have undertaken risk analysis.