Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications

Card Data Protection Enforcement Insufficient

The Bunker : 16 August, 2011  (Technical Article)
The Bunker comments on lack of strength of Payment Card Industry in enforcing control on the way personal finance card transactions are handled
A number of high profile data thefts such as the hacking of the Sun newspaper’s customer database and the Sony Playstation Network have made people more aware than ever of the issue of online data security and how they can protect themselves with a few basic precautions.

It will only be a matter of time before consumer’s attention is turned to the security surrounding some of our most sensitive information – our debit and credit card details that are processed every time we make a purchase.  

Each and every time a transaction is made, the consumer voluntarily hands over his or her details to a multitude of companies involved in processing, authorising and recording the transaction: the merchant, merchant’s bank, cardholder’s bank, settlement banks, credit card processing company and all the companies used by these entities to manage their networks, data processing and storage.

We have no option but to provide our credit or debit card to retailers and online merchants on a daily basis, and unauthorised access to this data would allow fraudulent purchases to be made with ease – yet even with this risk profile there is no legislation enforcing security for the processing of card data.

The Payment Card Industry Data Security Standard (PCI DSS) exists to ensure each of these organisations meets specified criteria related to handling this data, but this is enforced by credit card issuers, it is not a legal mandate.

For as long as the PCI Data Security Standard is not a legal requirement, some card data processing organisations will undoubtedly try to find a low cost way of achieving certification, considering certification as a cost that needs to be kept at a minimum rather than an investment in its end users. In time this will result in shortcuts being taken and unnecessary risks introduced.

The standard doesn’t need to be tougher, but the enforcement of it does. Do we need to wait for the inevitable Enron style breach before being forced into a knee-jerk and rushed introduction of a Sarbanes–Oxley equivalent for credit card data?

Protecting a user’s card details means building credit and debit card processing systems with security in mind from the ground up, and investing in this, rather than treating standards such as PCI DSS as a mere box-ticking exercise applied retrospectively to an existing system with the minimum resource possible. And only if all the entities in the payment chain are legislated to adopt security that combines the highest levels of physical, human and digital security as specified in the PCI standard can it be considered to be truly secure and incidents averted.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012