Card companies - and the slow road to security

gallery

It doesn't seem a lot to ask. The credit card companies would like organisations handling the personal details of card holders to make sure the information does not fall into the wrong hands. They have even come up with a useful set of guidelines to help them become secure.

So far, so reasonable. But the details on the Payment Card Industry Data Security Standard (PCI DSS for short) have so far proved to be too much to handle for most retailers and merchants.

An initial deadline for compliance was set for June 2005, but few companies bothered to change. And when the card companies and their acquiring banks failed to apply any kind of sanction or punishment against offenders, most of industry shrugged its shoulders and carried on regardless.

A similar deadline for June 2007 also failed to wake the merchants from their collective slumbers, and still the card schemes have failed to take action.

On the other hand, everyone agrees that data breaches are bad for business. Just look at the grief being suffered by US clothes retailer TJX (which also owns TKMaxx in the UK) after it was discovered that hackers had siphoned off the details of more than 40 million credit cards. The costs of investigation and restitution for the company are already in the millions and still rising.

It is in everyone's interest to maintain faith in credit card security, especially if e-commerce is to continue to grow. And the credit card industry wants to demonstrate that it is capable of regulating itself.

When the Information Commissioner Richard Thomas delivered a scathing annual report in July, and pointed out severe failings across industry, including banking, he asked for his own powers to be strengthened.

But the last thing the payment card industry wants is the Government stepping in with its size 11 boots, so the pressure is now on to get its house in order, and that will require some delicate diplomacy to make it happen. Visa and MasterCard can hardly start threatening big companies like Amazon or Tesco with the removal of their accounts without losing vast sums of money themselves.

And yet the requirements of the standard (see panel below) look quite reasonable - encryption of card data, regular scanning of applications for vulnerabilities, and only storing information where it is absolutely necessary.

For any company with a well developed approach to security, it should prove no real problem.

But in reality, compliance with PCI DSS, has been an uphill struggle. "Companies have found the standard onerous to achieve. For retailers, I'd say they find it anywhere between 'rather challenging' to 'very challenging'," says Simon Langley, head of certifications services for KPMG.

He says that for many companies, the biggest problem is knowing where their data is in the organisation. "A large retailer may have agents, dealer networks etc. Data is stored on log files, in back-ups, in web servers. People may be taking copies of the database and storing them on CDs or printing them out. If you've never thought about this before, it can be quite hard to track it all down," he says.

The second challenge is knowing what you are doing with the information. "You may be recording card data in a database - but do you need to? What would happen if you didn't? You can't remove it without knowing what happens to it downstream. It may be hard to find someone in the company who really understands the full end-to-end process," Langley says.

Email to a friend

Print this page