A study has found that a significant proportion of retailers operating in the UK are not in the loop concerning the revised Payment Card Industry Data Security Standard (PCI DSS).
This news has come as a result of research carried out by LogLogic, which discovered that 13.8 per cent of retailers do not have any knowledge of the second edition of the PCI DSS and a further 15.5 per cent stated that their understanding was incomplete on the subject.
This leaves close to a third of the market in virtual darkness when it comes to payment card security, a fact which many experts find troubling.
Further questions in the study found that just 36 per cent of retailers are aware that the new PCI DSS requires major alterations and revisions of previous regulations, relating to the networks which handle payment card transactions within a given business, along with any virtualisation services used.
Auditing by the payment card providers was also considered in the survey and a majority of respondents said that they were being audited with increasing regularity when compared with previous periods.
PCI DSS version 2.0 was published in 2010 and LogLogic chief executive, Guy Churchward, explained that there is a worrying lack of understanding or, in some cases, basic knowledge about the new PCI DSS rulings and how they can apply to UK retailers. As a consequence, he believes that many need to implement changes to their own systems in order to comply with the standard.
Mr Churchward said that becoming compliant with the PCI DSS was not a single act but required constant monitoring and auditing, to ensure total data protection and compliance. He said that businesses who meet these requirements will be able to instill clients and customers with confidence.
Half of respondents to the survey said that the new PCI DSS was a positive influence and potentially valuable to their business. Close to a fifth said that they would use PCI DSS rulings to secure investment in up to date security systems.
After launching last week the first reactions to the second version of the Payment Card Industry Data Security Standard (PCI DSS) have been voiced, with many experts in IT security expressing cautious confidence in the new regulations.
The development of PCI DSS 2.0 involved many industry bodies and is intended to help improve the level of security relating to payment card transactions made across the world, from debit and credit cards.
The PCI DSS will be finally implemented from the start of 2011, adding new penalties to the list of punitive measures that firms will face if they fail to adhere to its security rulings.
Security expert, Ron Gula, said that it is in the interest of businesses to take onboard the PCI DSS and use it as a foundation for future policies relating to network security and data loss prevention.
Mr Gula explained that the PCI DSS will not necessarily ensure security and so minimal compliance is less desirable than actually stepping up preventative measures to a greater degree than is required. Complying with the PCI DSS is seen as a good way to limit the impact of downtime and recover after a breach, according to Mr Gula.
Imperva’s Amichai Shulman, said that businesses and organisations can better support their wider security infrastructure by adhering to the PCI DSS. He explained that investment in added security would not just ensure that businesses were in line with its recommendations, but would have a wider ameliorating effect on an operation as a whole.
Earlier in 2010 a survey by Redshift Research found that a little over a tenth of UK groups dealing with payment card transactions actually complied to the previous PCI DSS. As a result many industry experts are welcoming the updated regulations and believe that the sooner they are here the better businesses will be able to ensure data protection.
There are many urging businesses to work with PCI DSS compliance rather than see it as a hindrance. Building strategies which allow for ongoing adherence to its rulings are seen as the most sensible routes to a more secure future.
A new report into how companies are coping with the Payment Card Industry Data Security Standard (PCI DSS) has found that a large number of businesses dealing with significant numbers of transactions on a daily basis are failing to comply to the regulations, leaving themselves open to exploitation and data loss.
Verizon commissioned the study and said that those firms who exhibited a willingness to comply with the PCI DSS, were much less at risk of security breaches and data loss than those who were failing to meet with the expectations of the regulators.
The results of the study confirmed that of the businesses who had seen their systems breached, there was a 50 per cent greater chance of it occurring if noncompliance was noted.
Twenty-two per cent of firms which handle payment card data were found to be inadequately prepared and failed to meet the stringent requirements of the PCI DSS. However among these there were still many businesses which had in place the necessary measures to match the PCI DSS’ most significant rulings.
Seventy-five per cent of respondents to the study were found to have complied with around 70 per cent of the PCI DSS requirements.
Verizon surmised that although compliance can be patchy and inconsistent, the areas in which it is most lacking are those that expose firms to the greatest threat of data loss. Many firms showed that they could not actively record the individuals accessing the network. Issues such as failing to regularly test the strength of security of payment card transactions and data storage were also common.
Experts believe that many firms which fail to comply with the PCI DSS should review their policies and set in place systems which will allow them to stay within the remit of the regulations over a long period, rather than as a one-off blitz to improve security that will not be effective over time.
Verizon’s Peter Tippett said that the study was intended to act as an incentive for businesses to review the PCI DSS and tweak internal policies to ensure compliance.
The organisation responsible for the Payment Card Industry Data Security Standard (PCI DSS) has begun the process of analysing and updating the rules that aim to protect the private details of millions of consumers and businesses around the world.
The PCI Security Standards Council announced that it would be reviewing the current standards and making amendments, although it confirmed that businesses would not need to take additional action once a decision is reached.
The council published a report as to how the threats to the payment card industry have changed and evolved in the recent past and explained how this would be reflected in the revamped PCI DSS.
A variety of industry areas are covered by the PCI DSS and the first set of changes are to be instigated by October, with alternations to PIN security on cards. The PCI Security Standards Council said that it was preparing those who would be affected by the changes as the launch date draws near.
The buzzword surrounding the updated PCI DSS is flexibility and the council believes that businesses, financial institutions and PCI suppliers will be able to scale their operations and defences to match the severity of the threat, in addition to having access to improved tools for reporting and detecting vulnerabilities.
Significantly, there will be no additional obligations enforced as a result of the PCI DSS revision, with a greater emphasis on the allocation and appreciation of responsibility.
The council’s Bob Russo said that the fact that the update was only going to make small adjustments to the current PCI DSS underlined the robustness of the existing security standards.
Mr Russo went on to say that the council was giving organisations plenty of notice ahead of the changes in order to accommodate any necessary alterations or updates to policy and systems.
Further to updating the PCI DSS, the council is set to chair events at which key groups will be able to express their opinions and become involved in the process of formulating future security strategies.
The enforcement of the data security standards that govern the payment card industry is beginning next month and experts believe that many UK businesses could face hefty fines as a result of non-compliance.
PCI DSS is being instigated by Visa from the start of July. As a result, the electronic point of sale (EPOS) and online retail sites operated by many of the smaller enterprises in the UK could come under scrutiny and be deemed inadequate under the new rules.
Larger businesses have until the end of September to ensure compliance with PCI DSS as the process of converting outdated systems is perceived to be lengthier and more complex within organisations of significant size.
Regulators have divided businesses into multiple tiers in order to separate out those businesses dealing with the most significant volume of transactions annually from those responsible for the least. The first tier businesses are the largest, with six million or more payment card transactions channelled through them annually, while the fourth tier enterprises experience less than 20,000.
Experts believe that Visa will start issuing fines to firms that have not ensured complete compliance as soon as the rules come into effect for that particular tier.
The acquirer will be fined by the payment card firm and these fines and associated costs will be passed onto the non-compliant business, according to Barclaycard’s head of security, Neira Jones.
Smaller firms from tiers two to four are encouraged to ensure complete PCI DSS compliance, because any breach will not only result in direct fines, but may also move them up the pile to be considered alongside tier one firms and their associated charges, which could have a long lasting impact according to data security expert Mathieu Gorge.
Some believe that smaller firms are being penalised under the new system, with security advisor John Walker suggesting that the limited understanding and explanation of PCI DSS rules to lower tier UK businesses could result in fines and poor treatment for those who unwittingly break the new regulations.
Businesses dealing with payment card transactions will need to examine in detail the freshly updated security requirements from the Payment Card Industry Standards Council in order to ensure continued compliance and protection for customers.
The Payment Card Industry Data Security Standard (PCI DSS) is managed by this organisation, and it is accepted internationally by businesses of all kinds. Sub-categories of the overall set of rules have been updated in order to move with the ever changing technology and the threats against which businesses and consumers must be robustly defended.
The regulations governing PIN Transaction Security (PTS) and Point of Interaction (POI) are now moving into version 3.0, with the update representing three years of continuous review and analysis that runs in cycles within the PCI. Many hundreds of businesses have been involved in formulating the update, which ensures that real world threats are addressed.
The PCI Standards Council has confirmed that new requirements will see the standardisation of PIN entry terminals. This will alter the current rulings, which differ depending on whether the terminal is manned by a member of staff, remotely monitored or comprehensively encrypted, and by replacing these separate rules with a unified update it should be easier to comply whilst security is simultaneously improved.
Several new regulations have been implemented in order to increase security in key areas. This includes replacing older, less secure wireless standards for payment card data transmission with more robust alternatives, as well as requiring encryption of consumer information whenever it is handled by businesses and at every point on its journey.
The PCI Standards Council has accepted that these stricter regulations will require suitable technology to support them and, as such, have approved additional technology to help firms adhere to the regulations and make payment card information much harder to access if you do not have the requisite authority.
The PCI Standard Council’s Bob Russo said that protecting customer data and preventing loss or theft would be made far easier under the new regulations, with blanket encryption and improved wireless protocols making all the difference.