In-depth

Card companies - and the slow road to security

While credit card companies want retailers to handle card data more securely, the job is proving too much for some.

It doesn't seem a lot to ask. The credit card companies would like organisations handling the personal details of card holders to make sure the information does not fall into the wrong hands. They have even come up with a useful set of guidelines to help them become secure.

A similar deadline for June 2007 also failed to wake the merchants from their collective slumbers, and still the card schemes have failed to take action.

Advertisement - Article continues below

On the other hand, everyone agrees that data breaches are bad for business. Just look at the grief being suffered by US clothes retailer TJX (which also owns TKMaxx in the UK) after it was discovered that hackers had siphoned off the details of more than 40 million credit cards. The costs of investigation and restitution for the company are already in the millions and still rising.

It is in everyone's interest to maintain faith in credit card security, especially if e-commerce is to continue to grow. And the credit card industry wants to demonstrate that it is capable of regulating itself.

When the Information Commissioner Richard Thomas delivered a scathing annual report in July, and pointed out severe failings across industry, including banking, he asked for his own powers to be strengthened.

Advertisement
Advertisement - Article continues below

But the last thing the payment card industry wants is the Government stepping in with its size 11 boots, so the pressure is now on to get its house in order, and that will require some delicate diplomacy to make it happen. Visa and MasterCard can hardly start threatening big companies like Amazon or Tesco with the removal of their accounts without losing vast sums of money themselves.

Advertisement - Article continues below

And yet the requirements of the standard (see panel below) look quite reasonable - encryption of card data, regular scanning of applications for vulnerabilities, and only storing information where it is absolutely necessary.

He says that for many companies, the biggest problem is knowing where their data is in the organisation. "A large retailer may have agents, dealer networks etc. Data is stored on log files, in back-ups, in web servers. People may be taking copies of the database and storing them on CDs or printing them out. If you've never thought about this before, it can be quite hard to track it all down," he says.

The second challenge is knowing what you are doing with the information. "You may be recording card data in a database - but do you need to? What would happen if you didn't? You can't remove it without knowing what happens to it downstream. It may be hard to find someone in the company who really understands the full end-to-end process," Langley says.

Advertisement - Article continues below

Then there is the question of how to distribute and manage encryption keys, all of which adds to the burden of over-stretched IT departments.

Langley says encryption has been the biggest problem at virtually every company he has worked with on PCI compliance. "They are doing something they have never done before. It is easy to get it wrong. And it often involves building new interfaces in up to 50 systems, which is a huge project."

Advertisement
Advertisement - Article continues below

More than that, it usually involves a fundamental change in corporate culture. As he says, in the retail industry the demands of the marketing department tend to take precedence even if security is in doubt.

The standard requires a wall-to-wall approach, embodying physical security as well as data security, and covering all aspects of the business. According to Chris Barling, head of e-commerce software company Actinic: "If you have a server in your offices where card data resides, for instance, you can't have your cleaners working in the evening, because they would be an unsupervised third-party. This is a very far-reaching set of requirements, and it's very hard to comply with them."

Advertisement - Article continues below

Like many of his customers, mainly small and medium-sized online retailers, he has decided not to handle credit card data at all from now, and has outsourced it all to a specialist company. "No credit card number will go into any system we run. The difficulties and demands are too high," he says.

Others may follow suit, discouraged not only by the high demands of the standard, but also by the prospect of a regular, and expensive, external audit to ensure standards are being maintained.

One thing is sure, companies will need to act. The acquiring banks that operate the card schemes are turning up the pressure and demanding to know, even if companies do not yet comply, what their plans are for doing so. While not prepared to talk about specific sanctions, a spokesman for Visa said: "Our position is that if companies are not yet compliant they should be in the process becoming so. The purpose of PCI is that data within the card system is properly treated."

Advertisement - Article continues below

But Lisa White, an expert in PCI at Deloittes, says that companies should view the exercise as an opportunity to review and improve security, adding it will "deliver competitive advantage, maintain a positive corporate image and safeguard consumer confidence."

The industry standard, PCI DSS, includes 12 key requirements for organisations that accept or processes card payments:

For more information on PCI DSS can be found here.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/mobile/mobile-security/355889/parachute-introduces-superlock-feature
mobile security

Parachute's Superlock feature keeps your phone recording in an emergency

2 Jun 2020
Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020

Most Popular

Visit/security/ransomware/355891/nasa-it-contractor-ransomware-hack
ransomware

Ransomware collective claims to have hacked NASA IT contractor

3 Jun 2020
Visit/security/exploits/355866/critical-vmware-cloud-director-exploit-lets-hackers-seize-corporate
exploits

VMware Cloud Director exploit lets hackers seize corporate servers

2 Jun 2020
Visit/data-insights/data-science/355678/how-data-science-is-transforming-business
Sponsored

How data science is transforming business

29 May 2020