10 Jul 2008
Department store John Lewis is unhappy about the inconsistency of requirements for systems geared at compliance with the Payment Card Industry Data Security Standard (PCI DSS).
The retailer plans to become fully compliant by the middle of next year and
is introducing systems related to the 12 requirements for compliance, which
include reviewing storage arrangements for customer payment information.
Data encryption is a key focus area and the retailer is looking at ways to strengthen the security of customer details.
But achieving compliance has been a challenging process, mainly because of constantly changing requirements, said Frank Cordrey, head of development support at John Lewis.
“The goalposts of the PCI standard have been moved several times. It was fairly consistent and the objectives were clear at first, but there are a number of areas that have changed considerably in the past couple of years,” Cordrey told Computing.
The PCI DSS standard was introduced by Visa and MasterCard to enhance payment account data security and led to the foundation of the PCI Security Standards Council, a group of more than 460 businesses responsible for maintaining and publishing the rules. John Lewis is one of the members.
But requirements are often changed “on the fly”, which means that work carried out is out of date by the time companies go through compliance checks, said Cordrey.
“There are times when you need rules to be static for a while so you can catch up and take things forward. What I would like to see is someone accepting the fact that this is a big task and that if you want people to stick to rules, specifications must be retained,” he said.
“If I change any system based on an approved PCI specification that will potentially affect many other systems, only to have the requirements changed again, then it is a waste of time and money.”
More confusion is expected to stem from the release of the second version of the PCI standard in October, said Paul Brennecker, a PCI DSS security expert at consultancy Security Risk Management.
"There is a lot of miscomprehension about what the new version of the standard may bring, even though there may not be major changes. But the challenge remains understanding how to apply the requirements and adapting technology around the rules," he said.
I'm really sorry that Mr. Cordrey does not understand the nature of security these days. Since the attack landscape changes almost every day with every new attack, security must change to address these new risks.
The PCI DSS is a fluid document based on the fact that the PCI SSC and the card brands understand that the security landscape does change. As a result, the DSS changes to reflect the new risks.
Maybe Mr. Cordrey would prefer his company suffer a breach while we waits to take his time to address his organisation's compliance with the DSS.
Posted by: Jeff Hall 10 Jul 2008
As I understand it, the PCI standard hasn't changed in two years but the article quotes him as saying that the changes happen frequently? What am I missing?
Reporters always go for the biggest title but it usually means interviewing someone with limited or high-level understanding of something as complex or verbose as PCI DSS.
Posted by: TJ Pepperdine 10 Jul 2008
Have your say on this article
Newsletters
Latest stories from Networks
Latest videos
You may also like
Networks jobs
Will Facebook be able to continue its success as a public company?
Rubbish in... rubbish enterprise. Why proper data management is so important (video, 6 min)
This Forrester report compares the costs and benefits of legacy email and productivity software with Google Apps
Upcoming Events
The implementation of robust, relevant digital strategies is more crucial than ever to the success of insurance businesses
Date: 01 Mar 2012
Time: 09:00am
A showcase of the latest in the information content and management
Date: 20 Mar 2012
Time: 09:00am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
