Former CIO urges enterprises towards PCI compliance

Australian banks may have been working through their own Payment Card Industry Data Security Standard (PCI DSS) compliance issues, but that won’t stop them from fining business merchants from failing to meet the terms of the security initiative, according to an industry specialist.

PCI DSS was created by Visa, MasterCard and other major credit card brands and is administered by the PCI Security Standards Council.

All companies that accept payment cards are required to implement the 12 high-level security controls prescribed by the standard in order to help mitigate credit card fraud. Larger companies face significantly tougher compliance requirements than smaller firms.

Level 1 merchants — companies that process more than six million credit card transactions a year — must engage a qualified security assessor.

Mark Lewis, the Australia New Zealand director for payment solutions company, IP Payments, said some local banks were still working towards the standard.

“One of the key reasons is that some of the banks will send out credit card numbers in full on statements to card holders and that in itself does not comply with one of the controls set out by the PCI Security Council,” he said.

According to Lewis, a few banks have struggled with legacy applications and platforms, although he admitted he did not know how far the affected banks were from compliance.

On the enterprise front, he said recent data breaches in Australia had resulted in greater awareness of PCI standards. In February 2011, cosmetics company Lush was forced to shut down its website following attacks by hackers. At the time, the company advised customers to cancel their credit cards.

Lewis, a former chief information officer at UK-based card payments company, Cosmos, said local CIOs and CFOs were not completely up to speed with compliance.

“It’s a big challenge because some CIOs need to become familiar with the meaning of PCI, the ongoing costs and the ramifications of acquiring those skills inhouse versus bringing in an external provider to run compliance as a managed service,” he said.

Many organisations Lewis works with are in the process of analysing their internal environments to understand where credit card data is kept and how it could be properly secured.

“The banks are becoming much more diligent in enforcing the standards and announcing that the deadlines for compliance have passed,” he said.

“Therefore, any fines that are the result of a breach will be handed down to these organisations.”

The compliance deadline passed more than 12 months ago.

“I don’t know of fines that have been issued but the banks have outlined that it will happen,” Lewis said.

Look to smartphones in the future

In future banks and merchants will need to look at near field communications (NFC) technology where consumers will use smartphones pay for goods and services.

Similar wireless communications were trialled locally between ANZ and Visa during March.

“I believe the iPhone 5 will contain a chip which will allow the phone to be swiped at point of sale terminals. Once the customer base has that device in its hands, I think it will be adopted very quickly,” he said.

“At the end of the day it appears to be a very convenient mechanism to pay.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow CIO Australia on Twitter: @CIO_Australia