Card companies - and the slow road to security
While credit card companies want retailers to handle card data more securely, the job is proving too much for some.
It doesn't seem a lot to ask. The credit card companies would like organisations handling the personal details of card holders to make sure the information does not fall into the wrong hands. They have even come up with a useful set of guidelines to help them become secure.
A similar deadline for June 2007 also failed to wake the merchants from their collective slumbers, and still the card schemes have failed to take action.
On the other hand, everyone agrees that data breaches are bad for business. Just look at the grief being suffered by US clothes retailer TJX (which also owns TKMaxx in the UK) after it was discovered that hackers had siphoned off the details of more than 40 million credit cards. The costs of investigation and restitution for the company are already in the millions and still rising.
It is in everyone's interest to maintain faith in credit card security, especially if e-commerce is to continue to grow. And the credit card industry wants to demonstrate that it is capable of regulating itself.
When the Information Commissioner Richard Thomas delivered a scathing annual report in July, and pointed out severe failings across industry, including banking, he asked for his own powers to be strengthened.
But the last thing the payment card industry wants is the Government stepping in with its size 11 boots, so the pressure is now on to get its house in order, and that will require some delicate diplomacy to make it happen. Visa and MasterCard can hardly start threatening big companies like Amazon or Tesco with the removal of their accounts without losing vast sums of money themselves.
And yet the requirements of the standard (see panel below) look quite reasonable - encryption of card data, regular scanning of applications for vulnerabilities, and only storing information where it is absolutely necessary.
He says that for many companies, the biggest problem is knowing where their data is in the organisation. "A large retailer may have agents, dealer networks etc. Data is stored on log files, in back-ups, in web servers. People may be taking copies of the database and storing them on CDs or printing them out. If you've never thought about this before, it can be quite hard to track it all down," he says.
The second challenge is knowing what you are doing with the information. "You may be recording card data in a database - but do you need to? What would happen if you didn't? You can't remove it without knowing what happens to it downstream. It may be hard to find someone in the company who really understands the full end-to-end process," Langley says.
Then there is the question of how to distribute and manage encryption keys, all of which adds to the burden of over-stretched IT departments.
Langley says encryption has been the biggest problem at virtually every company he has worked with on PCI compliance. "They are doing something they have never done before. It is easy to get it wrong. And it often involves building new interfaces in up to 50 systems, which is a huge project."
More than that, it usually involves a fundamental change in corporate culture. As he says, in the retail industry the demands of the marketing department tend to take precedence even if security is in doubt.
The standard requires a wall-to-wall approach, embodying physical security as well as data security, and covering all aspects of the business. According to Chris Barling, head of e-commerce software company Actinic: "If you have a server in your offices where card data resides, for instance, you can't have your cleaners working in the evening, because they would be an unsupervised third-party. This is a very far-reaching set of requirements, and it's very hard to comply with them."
Like many of his customers, mainly small and medium-sized online retailers, he has decided not to handle credit card data at all from now, and has outsourced it all to a specialist company. "No credit card number will go into any system we run. The difficulties and demands are too high," he says.
Others may follow suit, discouraged not only by the high demands of the standard, but also by the prospect of a regular, and expensive, external audit to ensure standards are being maintained.
One thing is sure, companies will need to act. The acquiring banks that operate the card schemes are turning up the pressure and demanding to know, even if companies do not yet comply, what their plans are for doing so. While not prepared to talk about specific sanctions, a spokesman for Visa said: "Our position is that if companies are not yet compliant they should be in the process becoming so. The purpose of PCI is that data within the card system is properly treated."
But Lisa White, an expert in PCI at Deloittes, says that companies should view the exercise as an opportunity to review and improve security, adding it will "deliver competitive advantage, maintain a positive corporate image and safeguard consumer confidence."
The industry standard, PCI DSS, includes 12 key requirements for organisations that accept or processes card payments:
For more information on PCI DSS can be found here.
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now