Cotton Traders tightens credit card protections

Cotton Traders achieved PCI compliance in October

Clothing manufacturer Cotton Traders has increased customer payment data security to become compliant with the Payment Card Industry Data Security Standard (PCI DSS).

The company is deploying 'tokenisation' middleware which ensures that credit card details are replaced by a token held in a data depository kept separate from its SAP order-processing system.

"Customer security has always been at the top of our priorities. We want to ensure that our customers know we will manage their data safely," said Nick Turner, development manager at Cotton Traders.

Encrypted valid credit card data stored by the retailer prior to the new system has already been tokenised, said Turner, and information on expired cards has been wiped.

Cotton Traders is using a hosted system from Cybersource, which was chosen after an evaluation by SAP consultancy BizAps.

The retailer achieved PCI compliance in October, but lost thousands of customers' personal details earlier this year as a result of card-not-present fraud.

"In January 2008 we identified a security issue and immediately brought in industry experts to resolve the problem," the company said at the time. An anti-fraud unit backed by UK payments association Apacs has so far made one arrest in connection with the case, which remains under investigation.

The implementation of IT supporting the PCI DSS may be particularly challenging for businesses without a proper security and risk management policy in place, according to Mike Maddison, head of UK security and privacy services at Deloitte.

"Companies already struggle to assess where sensitive information is actually held even before any technical work is carried out," he said.

"That said, the complexity of security measures introduced to the IT setup of organisations working to comply with PCI regulations may disrupt business processes. That is one of the reasons why such projects have such a long time span."