Retail chain Harvey Nichols has spoken out about the importance of complying with new PCI DSS regulations in a session at the Infosec 2010 conference.
Matthew Suddock, who manages infrastructure for the firm, said that the number of mainstream scandals relating to insecure payment card information was increasing at an unacceptable rate, citing the recent scandal involving retailer TJX as a prime example of the damage that can be done.
Mr Suddock said that TJX had lost over £73 million as a result of a serious data security breach, during which customer payment card details were stolen. Mr Suddock pointed out that there was no firm large enough to take this kind of financial hit and not feel the effects in the longer term.
It has taken two and a half years for Harvey Nichols to alter its payment card systems in order to ensure full compliance with PCI DSS and Mr Suddock said that it now has several different safeguards in place to ensure that it does not suffer a similarly damaging data loss disaster.
Harvey Nichols no longer stores as many personal details relating to its customers, and the data which it does retain is not held for an unnecessarily long period, according to Mr Suddock. This is just one of the significant changes in practice that has been driven by PCI DSS adherence.
Card details are never stored in whole on any system, and information is separated into non-transferable systems, so that data recorded at a till cannot subsequently be passed onto a wireless network, or any other portion of the internal systems, minimising the risk of it being stolen during transit.
Tills themselves are now subject to continuous patching and update, with firewalls and antivirus software keeping them free from infection, whilst each area of the system is managed independently to avoid any chance of it becoming compromised.
Mr Suddock said that the major barrier to these changes had been the habits formed by staff over years in which insufficient safety measures were in place and that upgrading the systems was far easier than changing policy and practice.
