|
Like
cockroaches, fraudsters are an adaptable and hard
to destroy species. Now that chip and PIN rollout
is complete, they have been busy pursuing new ways
of stealing card holder data, and Card Not Present
fraud has risen as a result. A number of high profile
cases in the US has led the card companies to implement
a new method of pest control, the Payment Card Industry
Data Security Standard (PCI: DSS), which looks set
to have just as big an impact on the retail sector
as chip and PIN.
The PCI standard draws together the security requirements
and guidelines developed individually by the card
schemes into a single standard designed to protect
cardholder identity and transaction information. Prior
to the merger the individual card schemes were known
as:
•MasterCard SDP (Site Data Protection) security
certification
•Visa AIS (Account Information Security)
•Visa CISP (Cardholder Information Security
Program)
•American Express DSOP (Data Security Operating
Policy)
•Discover DISC (Information Security and Compliance)
“It’s a much bigger issue than people
have been led to believe,” says Paul Makin,
sales director at K3. “It’s not just a
process change, it will involve software changes at
the expense of the retailers.” PCI: DSS is a
wide ranging standard that covers people, processes
and technology. All parties that are involved in the
card payment system must adhere to the requirements.
This includes all acquirers, merchants, retailers,
and payment service providers.
The compliance requirements of PCI: DSS, as set out
by Visa and MasterCard, not only apply at entity level
but also at system components level. This includes
any network components, servers, or applications included
in, or connected to, the cardholder data environment.
Although the 30 June 2007 compliance deadline is fast
approaching, the number of retailers actively working
toward compliance remains low. The original deadline
for compliance was set as 30 June 2005 until an extension
was granted (the UK is the only country in Europe
where it has been extended).
One of the main aims of the PCI standard is putting
a stop to cases of internal fraud, a long-term problem
for organisations handling cardholder data. According
to a recent DTI Security Breaches Survey, 64 per cent
of large companies reported staff misuse of IT systems,
39 per cent reported unauthorised access by outsiders
(including hacking attempts) and 49 per cent reported
computer-related theft or fraud. The average cost
to a large company of a serious security incident
is in the region of £120,000.
The security of the internal network has long been
underestimated as an entry point for theft or attack
according to Steve Mulhearn, technical director at
Arbor Networks. PCI compliance requires a shift of
attention to the interior of the network and demands
network security managers know the established network
conversation patterns of every employee who has access
to servers, know how data is encrypted and ensure
access to sensitive data is restricted. Despite rumours
that some retailers see PCI as little more than a
money making scheme by the card companies, Mulhearn
maintains its importance to the retail sector. “PCI
is definitely necessary and I think Visa MasterCard
would have had to implement it sooner or later due
to the sheer volume of transactions now occurring
in business, particularly online.”
PCI compliance is made up of 12 main requirements.
The standard applies to all systemcomponents throughout
the transaction process, such as the use of data encryption,
user access control, both physical and system log-on
and secure networks. Procedural requirements are also
covered, such as the need to implement formal information
security policies and the ongoing risk assessments
of the vulnerability of the system to malicious attack.
“Having notable levels of security and protection
in their systems can give retailers more confidence
that this data isn’t literally lying around,
which to be fair in the past it probably was,”
says Paul Makin, sales director at K3.
PCI compliance holds the added benefit of identifying
the business as one that upholds standards of best
business practice. The standard also aims to improve
consumer confidence in card transactions and reduce
cardholder disputes and the costs resulting from fraudulent
transactions from compromised data.
Compliance takes place over several stages. A pre-compliance
assessment analyses the businesses existing infrastructure
to identify potential compliance violations. A set
of reports are produced that show PCI compliance status
throughout the business, allowing merchants to identify
and deal with compliance issues prior to the auditors
arrival. Retailers must then demonstrate their compliance
to auditors prior to achieving full PCI certification.
While all companies handling card data must comply
with the same PCI: DSS rules, the extent of audit
required to prove compliance varies according to the
size of the company. The smallest merchants may only
have to self-certify, whereas the members, larger
merchants and payment service providers must arrange
an annual external audit and quarterly external network
scans of their hosts with a Visa-approved Qualified
Security Assessor (QSA). In other words, PCI: DSS
is not a one-off requirement; it involves continuous
monitoring and review as the card industry moves toward
a more regulated environment.
“We’ve only just got our own compliance
and its cost us around half a million and we’re
nowhere near the size of a retail operation,”
says Gareth Wokes, chairman of The Logic Group. “So
you’re talking about a lot of money, but more
importantly you’re talking about a long time.
You’re talking about a remediation programme
that’s going to take six months to a year. Those
we’re working with at the moment will be in
time, those in the next three to six months may well
be in time, somebody leaving this until next year,
even with the best will in the world, they’re
going to be right up against the deadline,”
he adds.
Chip and PIN implementation was a costly process for
many retailers, but due to its focus solely on PoS
systems it was a manageable one. However, as Wokes
says, “PCI affects far more than the store,
it affects all of their operations so in that sense
it’s huge. Personally I think most retailers
aren’t in the frame of mind to think about this.”
A survey by the Logic Group revealed that not one
of almost 100 merchants questioned had achieved full
accreditation despite the original 30 June 2005 deadline
having passed. Indeed, 55 per cent were not even aware
of the data security process and a further 73 per
cent have put no measures in place to ensure compliance
in time.
The survey also highlighted that 57 per cent of those
questioned had received no support or guidance on
PCI. Many companies providing PCI compliance packages
to retailers believe poor take-up of PCI thus far
could be due to a lack of understanding throughout
the industry concerning what needs to be done in order
to achieve compliance.
“There’s a lack of clarity, there hasn’t
been a good job done in explaining the need for this.
Because of that lack of clarity it has caused a lot
of confusion. That coupled with the fact that it’s
coming just after chip and PIN makes it a hard pill
to swallow for many retailers.” Paul Makin,
sales director at K3.
Counting
the cost
Retailers failing to comply with the standard face
the prospect of substantial fines imposed by the card
schemes or alternatively, being permanently barred
from accepting card payments should a security breach
occur.
“I think it’s going to be expensive and
some retailers will certainly struggle financially
when implementing it. The system of fines works on
individual transactions and these can quickly add
up to become very costly for those retailers failing
to comply,” says Arbor Networks’ Mulhearn.
Seeing that the regulation is met and enforced falls
to the card companies. However, the card schemes’
members – such as the banks that sign merchants
up as Visa retailers – also have a role to play
in ensuring that their sponsored merchants are PCI:
DSS certified. In addition, these members and merchants
should only buy payment related services from PCI:
DSS certified service providers.
“I’m sure they will be a whole a raft
of people in the mid-tier space that won’t be
compliant in time. There will be a lack of resources
as we saw with chip and PIN; the banks just didn’t
have enough people to accredit everybody,” says
K3’s Makin.
Despite confusion among retailers as to what is required
of them, one thing is clear – PCI compliance
is essential. With time running out and auditors and
experts sure to be thin on the ground come early next
year, all those involved in the card transaction process
must begin taking steps to gain certification immediately.
Otherwise they may find themselves facing a hefty
bill from the pest controllers should they suffer
a fraudster infestation post 30 June 2007.
top
|
