27 Sep 2007
Just one in 10 UK merchants are compliant with payment card data security rules, leaving them open to security breaches and criminal attacks.
Only 11 per cent of retailers, financial services institutions and other businesses accepting card payments conform to the Payment Card Industry Data Security (PCI DSS) rules, according to a survey by secure transaction specialist The Logic Group.
The guidelines were developed by the PCI Security Standards Council, a global forum established by credit card firms to help prevent security breaches such as fraud and hacking.
The penalties of non-compliance are starting to be felt, said MasterCard vice president Paul Baker.
“Non-compliant merchants are realising the impact through the account data compromises or hacks that are now being seen,” he said.
“The damage to the brand and to customer confidence can be extreme. Our aim is to move all merchants to a compliant status as quickly as possible.”
More than four out of five relevant businesses have assessed the impact of meeting the PCI DSS requirements, says the survey. But six per cent of respondents have neither started working towards compliance, nor intend to.
Insiders say the standard needs to be more widely publicised. “Awareness is growing, but I am amazed at how many people do not know about the standard,” said one hospitality industry source.
“And many people think their software is secure but do not realise compliance means much more.”
One explanation for the slow progress is that attention has been focused elsewhere, said Gartner research director Alistair Newton.
“There has been a lack of priority in the retail community merchants in the UK have been busy implementing the highly-visible chip-and-PIN so the back-end storage issues have slipped,” he said.
In May TJX, the parent company of high-street chain TK Maxx, admitted nearly 46 million credit and debit card records had been stolen over an 18-month period from July 2005. The breach cost the company nearly $130m (£64m).
“What happened to TK Maxx should drive retailers to compliance because it shows the reputational damage of a breach,” said Newton.
As far as I am concerned PCI DSS
card rules are irrelevant in reducing card fraud. The main issue as shown in many cases such as TK Maxx is that companies like to keep card details from
purchasers in their databases far longer than necessary to process the payment transaction. Once the card information has been used to claim the funds from the purchaser (usually in a daily
'end of day´processing ) then that informaation should be deleted. Companies will claim that they keep it
either to facilitate customers making
later purchases or so that they can do online refunds if needed. Neither of these reasons is valid. If customers
want to make another purchase then
they should be forced ( in their own interests) to resubmit their card details. Similarly if they want refunds. The only way to enforce this would be to make it a criminal offence ( Chief Executives to
be liable) for an organisation to keep
credit/debit card details longer than
necessary (usually a day at most).
Posted by: Gordon Kennedy 30 Sep 2007
Have your say on this article
Newsletters
Latest stories from Security Technology
Latest videos
You may also like
Security Technology jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
