Payment data rules criticised

John Lewis IT chief says changing requirements hinder PCI compliance

John Lewis is fed up with PCI moving goalposts

Department store John Lewis is unhappy about the inconsistency of requirements for systems geared at compliance with the Payment Card Industry Data Security Standard (PCI DSS).

The retailer plans to become fully compliant by the middle of next year and is introducing systems related to the 12 requirements for compliance, which
include reviewing storage arrangements for customer payment information.

Data encryption is a key focus area and the retailer is looking at ways to strengthen the security of customer details.

But achieving compliance has been a challenging process, mainly because of constantly changing requirements, said Frank Cordrey, head of development support at John Lewis.

“The goalposts of the PCI standard have been moved several times. It was fairly consistent and the objectives were clear at first, but there are a number of areas that have changed considerably in the past couple of years,” Cordrey told Computing.

The PCI DSS standard was introduced by Visa and MasterCard to enhance payment account data security and led to the foundation of the PCI Security Standards Council, a group of more than 460 businesses responsible for maintaining and publishing the rules. John Lewis is one of the members.

But requirements are often changed “on the fly”, which means that work carried out is out of date by the time companies go through compliance checks, said Cordrey.

“There are times when you need rules to be static for a while so you can catch up and take things forward. What I would like to see is someone accepting the fact that this is a big task and that if you want people to stick to rules, specifications must be retained,” he said.

“If I change any system based on an approved PCI specification that will potentially affect many other systems, only to have the requirements changed again, then it is a waste of time and money.”

More confusion is expected to stem from the release of the second version of the PCI standard in October, said Paul Brennecker, a PCI DSS security expert at consultancy Security Risk Management.

"There is a lot of miscomprehension about what the new version of the standard may bring, even though there may not be major changes. But the challenge remains understanding how to apply the requirements and adapting technology around the rules," he said.