Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Retailer's role in PCIDSS compliance

SecureTrading : 15 June, 2009  (Special Report)
Jon Prideaux of SecureTrading looks at the balance of responsibilities for cardholder security between traders and card payment providers
When we hear about yet another data compromise, where millions of consumers have had their card details stolen, we all groan. We worry whether confidence in shopping online will be affected. And we worry whether our card details have been stolen! Looking after data is important. It's important for retailers to hold their customers' data securely and it's important for banks and payment processors to do the same.

So why is it that the British Retail Consortium has voiced its concerns over the PCI DSS programme and actively sought dialogue with payment card issuers Visa, MasterCard and American Express? In the US, there's dissent too: Michael Jones, the chief information officer at the retail company Michael's, testified to a Congressional Committee, that the PCI rules were 'expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement.'

The basic problem is that with Visa and MasterCard payments, the data used to initiate a payment has to be made available to the retailer in order for the transaction to occur. In other payment systems, designed rather than adapted for use on the internet, the customer's sensitive payment details don't have to be revealed. In the Netherlands, the payment scheme iDeal, for example, puts the customer in direct session with their bank and all the merchant receives is confirmation that the payment has been completed.

However for as long as we have the current system and the card details can be compromised and used to make fraudulent transactions, it's right that Visa and MasterCard, through the Payment Card Industry Council's Data Security Standard, do set rules to ensure that the data is protected. But have they got the balance right? Are they being heavy handed?

Many big breaches have come from payments infrastructure providers, yet the suspicion amongst the retail community is that too much of the fire is directed against them and not enough against the banking companies who are not compliant - I call for greater transparency so that all affected can see that the process is being applied consistently. Whilst the de-listing of RBS Worldpay showed that Visa would act, the concern persists that action could have been taken earlier.

All responsible retailers understand that, if they store card data, it must be in a secure form, but is it really sensible to spend so much effort getting retailers to implement costly PCI compliance programmes when all they do is transmit card details to their PCI certified payment service provider?

Here at SecureTrading I suppose that I shouldn't be making a fuss. PCI is a bit of a goldmine: we are picking up business by helping retailers to simplify their compliance process, we've developed a range of customisable "PCI-free" payment pages to help retailers overcome the challenge of PCIDSS. In fact, many big retail brands have already recognised the benefits of this solution and chosen to go down this route, so they don't need go through their own compliance process.

As a result, companies of all sizes can now achieve PCIDSS compliance with flexible solutions that integrate seamlessly with their existing technology infrastructure and remove the need for costly IT development investment. This includes two new products, unique to the marketplace, that have been introduced to complement the existing payment page integration and mean that retailers now have the added choice of a hosted payment page on a dedicated merchant server or hosted code on a dedicated server.

By working with SecureTrading, retailers are achieving full compliance, reducing overheads and avoiding penalties which can exceed €100,000.

Good for us, but is it good for the industry? Perhaps there also needs to be a carrot as well as a stick? Why is it that retailers, under threat of fines, have to implement these measures, when the beneficiary is the Issuing Bank? Shouldn't the Payment Schemes or the Issuers be subsidizing some of this work? They're the ones who will ultimately benefit.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo