Retail IT Summit: Firms overlook data for payment compliance

gallery

Visa, MasterCard and the independent body in charge of administering the latest card data security standard have warned many companies may be unknowingly leaving themselves open to a security breach.

The card companies were at the Retail IT Summit 2007 in Monte Carlo this week to discuss the implications of the recent introduction of the Payment Card Industry Data Security Standard (PCI DSS), which came into force on 30 June.

The PCI Security Standards Council was also present to outline what progress has been made by retailers and the industry alike to comply with the new standard. Bob Russo, the council's general manager stressed the fact the standard mandates card authorisation data - like that held in the magnetic stripe of the CVV code at the back of cards - must not be stored.

"Some organisations don't know they're storing this data," said Russo. "Often times, the point-of-sale system is storing much more information than the company actually knows about based on evidence from 250 cases where a breach has occurred. And the biggest culprit seems to be the restaurant business."

Steve Wilson, Visa Europe's head of compliance and business support said: "Organisations have had a tendency to store more card data than they actually need. It's the magnetic strip data that criminals can use to make a cloned credit card and the CVV code can be used for card-not-present transactions.

"But there's a tendency to store much more data than is actually needed in line with cheaper, more advanced storage. And a common pitfall is that finance data is checked, but other departments like marketing, who may have once had a use for the data, aren't included in the audit."

Wilson advised companies to look at complying with related security standards, BS7799, ISO27001 and Sarbanes-Oxley and said that if they are compliant with these they are probably 70 to 80 per cent of the way there with PCI DSS accreditation. Handing off transactions to PCI-accredited third party payment providers should also ensure no sensitive data ever passes through an organisation's systems in the first place, he added.

Paul Baker, MasterCard's vice president of payment system integrity also stressed that PCI DSS was not only about storing card data, but practising common sense security measures like password protection and physical and internal security policies as, "recent compromises have also taken place in companies that don't hold sensitive data."

Recent research published by the The Ponemon Institute estimated a large-scale security breach like that which befell TJX in the US could cost an organisation as much as $14 million (£6.9 million), not including brand damage.

Email to a friend

Print this page