10 Sep 2008
Security experts have sharply criticised the new Payment Card Industry Data Security Standard (PCI DSS), describing it as ineffective and immature.
Speaking exclusively to Computing, Alan Calder, chief executive at consultancy firm IT Governance, argued that many firms are still flouting the standard and escaping fines despite the deadline for compliance passing years ago.
"On the one hand it is an exciting global standard, but penalties for non-compliance are still not clear," he explained. "It is not clear that the acquiring banks will levy big fines on companies [because the customer] may decide to go and bank somewhere else."
Calder added that the banks' priorities are often misguided, pointing out that small tier-four vendors are sometimes targeted while larger retailers escape punishment. He believes that PCI DSS may become more effective if it is mandated by law.
Calder also predicted more data loss scandals in central government because "systemic failure cannot be fixed in three months".
Many tier 1 retailers will have to spend millions of pounds upgrading network infrastructure to support certain requirements of PCI DSS. Whilst every retailer is embracing PCI DSS, raising that amount of capital with no return within a short period of time is impossible for any business - regardless of the economic situation.
A pragmatic approach is being taken where al ot is done to fix data at rest in systems (using encryption for example) so that it cannot be extracted and then used. This can be done relatively cheaply and reduces the likelihood of a compromise. In addition, patching and penetration tests can also be carried out at relatively low cost to reduce the vulnerability of systems. In addition procedures can be put in place within the business to reduce risk. Note however that a retailer will never be marked as compliant until they have covered 100% of the PCI DSS requirements.
Many retailers are taking the approach that when they need to replace a network component, it is replaced with something that can be made PCI Compliant - therefore most retailers will be fully PCI compliant within the next 4 years.
If a poll were taken to see how far tier 1 retailers were down a compliancy route I think you would be pleasantly surprised on the progress being made by most.
Posted by: James park 11 Sep 2008
Have your say on this article
Newsletters
Latest stories from Security Technology
Latest videos
You may also like
Security Technology jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
