Interest in the Payment Card Industry Data Security Standards (PCI DSS) has ramped up sharply in Australia and New Zealand in the last few months says Ken Celik, ANZ technical manager at data integrity specialist Tripwire.
This follows two years of what he says is low interest among merchants and even banks.
"I recently attended a payment card industry seminar organised by Terrapin in Sydney," Celik says. "There were security specialists there, as well as card and terminal manufacturers but not many banks," he says. "That surprised me."
The standard aims at improving security among merchants and processing companies handling credit and debit card and Eftpos payments. It was devised by major card companies such as Visa, Mastercard and American Express.
A series of deadlines have been set for compliance with the various elements of PCI DSS. The next significant deadline is September 30 this year, when card processors must verify that they and larger merchants who use their systems "do not retain prohibited payment card data subsequent to authorisation of a transaction".
Retention of confidential data such as card numbers and customer identifying information has resulted in a number of serious security breaches over the past few years. The most recent was last month at a credit union in the US state of Virginia. This follows a potentially more damaging hack into Heartland Payment Systems in the US, which serves 175,000 customers.
The initial controls relate to Level 1 and Level 2 merchants, defined as anyone processing more than a million Visa or Mastercard transactions in a year, but these limits will progressively move downwards.
On future dates -- beginning with the largest companies on September 30 next year -- regular security audits and network scans will be compulsory in order to retain "compliant" status.
Penalties for non-compliance include fines and ultimately withdrawal of card accreditation.
Merchants and card processors could be non-compliant as a result of faulty processes -- typically uncovered by an audit, says Celik -- or through outdated terminal equipment.
NZ Retailers Federation CEO John Albertson says local compliance with PCI DSS is in the hands of the banks and the payment processing companies -- the market leader being Paymark. "They say they're [handling the requirements] reasonably well," he says.
Paymark's risk and compliance manager, Rachel Fowler, says the company stands ready to help. "Paymark encourages New Zealand merchants to meet their PCI DSS requirements and is able to provide support to merchants, and other participants in the payments industry, through facilitation of industry forum compliance updates, 'tips for compliance' for our merchants and sharing our knowledge and experiences of the road to PCI DSS compliance," she says.
"Paymark also provides one-on-one support to merchants, assisting in working through the complexities of PCI requirements.
"We look to share our knowledge and expertise by providing merchants with access to our consultants when seeking to achieve PCI DSS compliance status, and thereby supporting them in developing their roadmap to compliance."