Freely subscribe to our NEWSLETTER

Organisations increasingly need to secure this critical data in such a way that it not only complies with the latest regulations but also has the least financial and operational impact on their business. It is vital that they are they are able to leverage these efforts to maximise the return on investment.

The security breach at TJX which operates clothes retailers TJ Maxx in the US and TK Maxx in the UK was thought to have lead to the theft of at least 45.7 million credit and debit card records; it turned the threat of a data breach into a reality for all retailers and merchants. Safeguarding customer data should be a priority for anyone taking payment by credit or debit cards. However there continues to be a lack of security in the industry which needs to be addressed if retailers are to maintain both profit levels and consumer confidence.

The Times recently reported that identity fraud is still one of the fastest growing areas of crime and has cost banks more then £212 million and affected 1.7 million people in 2007. If retailers and merchants fail to secure their customer’s personal data these figures will only continue to increase.

The problem has been compounded by the ever-growing popularity of real-time unencrypted communications like web mail and even instant messaging which means it is becoming easier for criminals to hack into a network unnoticed. The recent cases of data security breaches such as that in the US by GE Money which lost an unencrypted tape containing 650,000 retail customer details, highlights that organisations world wide are not safeguarding the personal data the way they should. What’s more, the problem is a global one and if a retailer’s system is hacked into in one country, the card details of customer’s world wide are at risk simply because of the way customer data is stored.

Organisations that fall victim to a customer credit data breach are liable for large fines and could even face having their credit processing capabilities stopped by their credit card company. The threat of such fines and of losing credit processing capabilities has become the main driving force compelling many organisations in the UK to invest considerable time and resources into complying with PCI Data Security Standard (PCI DSS).

Originally introduced in January 2005 the PCI DSS standard was designed to help organisations with security management, policies, procedures, network architecture, software design and other critical protective measures.

PCI DSS was developed by the five major credit card brands to harmonise existing security programmes into a single standard to give guidance to organisations to help minimise the threat of fraud and secure the processing of sensitive cardholder data. PCI DSS consists of 12 general requirements, organised into six related groups, which are called the ‘control objectives’.

The PCI DSS standard was introduced not only to safeguard the financial risks to a business but also to protect a merchant or retailer’s brand value. Public awareness has increased due to the growing number of attacks aimed at stealing confidential data and if a customer feels their personal card details are not safe then they will take their loyalty elsewhere.

Compliance with the PCI DSS is compulsory for organisations that store, process and transmit cardholder data. However, a significant proportion of organisations remain non-compliant with the standard. There are many reasons for this but one main cause is the acceptance of the risks associated with non-compliance. This reason is the one that is of most concern to the payment brands and will ultimately be addressed by the levying of penalties.

PCI DSS is viewed in the context of an insurance policy as opposed to a lock on the front door. Both of these serve the same purpose which is to protect against the risk of loss but the mechanism of implementation is completely different. Where an insurance policy seeks to reimburse loss, locks reduce the exposure to risk. In this context, compliance with the PCI DSS should be embraced as a way to secure brand value and provide a competitive edge.

Covering a wide area of security such as physical security, encryption and access control, means that being compliant with the standard represents a significant long-term commitment of resources. However, a recent report distributed at the National Retail Federation (NRF) Annual Convention, estimated that the cost to merchants and retailers of not meeting PCI requirements and being liable for a customer data breach, could be 20 times greater than the cost of compliance.

Requirements for the PCI DSS standard range from the relatively simple task of ensuring that anti-virus software is kept up-to-date to the more complex and demanding procedural changes such as tracking and monitoring access to network resources and cardholder data.

One of the most difficult requirements to implement and enforce is that which stipulates merchants and retailers must eliminate vendor supplied passwords. Implementation of this requirement requires a substantial commitment in terms of time and resources and will involve several teams, which can impact on many systems within the organisation’s network. It’s hardly surprising then, that according to an October 2007 Wall Street Journal article, PCI DSS compliance rates were initially low.

Organisations that seek to comply with PCI DSS start by scoping the cardholder data environment (CDE) and then reviewing the components in the environment, including all communication to and from the CDE and physical access. Results are then measured against the PCI DSS requirements to identify the areas where compliance is not met (gap analysis). A remediation plan is then drawn up to identify the activities needed to close all of the “gaps”. Once completed, the organisation is assessed for compliance with the PCI DSS. Smaller organisations are allowed to complete a self assessment questionnaire whilst much larger organisations must validate their compliance via an onsite audit by a PCI Qualified Security Assessor (QSA).

Ensuring that all the processes and procedures that fall into the PCI DSS scope are in place to maintain compliance is a necessity and usually requires a systematic and often automated set of procedures to be established. These procedures must also be clearly documented and visible for a QSA to ensure compliance is being maintained at a satisfactory level. Whilst most organisations report initial compliance between 12 to 18 months, maintaining compliance with the PCI DSS standard is an ongoing activity.

Organisations that seek to achieve compliance with the 12 PCI DSS requirements are finding that their compliance efforts are providing much broader benefits than they may initially have expected. Indeed, such benefits can cover many areas of the organisation, not just those areas concerned with the handling of credit card information.