Many merchants have still not been assessed as compliant with the Payment Card Industry Data Security Standard (PCI DSS).
Despite several deadlines being set, no penalties have been levied for non-compliance in New Zealand, says security consultant Kyle Gibson.
Penalties have, however, been levied on larger merchants in the US and Europe, he says.
Some non-compliant merchants are in “duck-and-cover mode, hoping PCI DSS will go away”, he says. Others may still be unaware that they are required to be compliant. Only about a third of New Zealand merchants are fully compliant, he estimates, “and the smaller ones are virtually untouched” by compliance checking and enforcement.
The standard, directed chiefly at protection of cardholders’ data, applies to all merchants, but the deadlines for compliance and the strength of enforcement for small merchants are a matter for discussion between the merchant and their payment services supplier, say official standards documents.
Wellington company Confide, where Gibson is principal security engineer, assists merchants to achieve compliance with the standard. An important facet of the standard is to ensure that identifying data from a customer’s card, which could be used to process illicit transactions, is stored only for as long as necessary and in strictly circumscribed and secure places on the merchant’s network.
“Often, people trying to become compliant start by buying firewalls and doing technical stuff,” says Gibson.
The processes and procedures of the business should be examined first. “You need to start by knowing what your sensitive data is and where you’re keeping it.” It’s surprisingly easy for data to end up in the wrong places. A helpdesk operator handing a customer enquiry, for example, might note down the credit-card number in a text document or spreadsheet and forget to delete it.
Unstructured data such as text documents and emails, as well as the structured data in databases, should be examined for the presence of what may be leaked card data.
Confide has developed QuaSAr, an application that scans an organisation’s data for the presence of telltale leaked data. If something that may be a card number or data from the tracks on the magnetic stripe on a card is detected in the wrong place on the computer system, it is brought up for manual attention. Manual inspection is the final arbiter of whether data is leaking, Gibson says.
This is not the only step in ensuring compliance, but if no leaked data is found it provides an important element of confidence, says Gibson. Of course if data has leaked, the weakness in the system can and should be tracked down and remedied.
Nor is formal compliance the whole story, he emphasises. “While a secure system is a compliant system, the reverse does not necessarily apply.” A full range of security precautions should be put in place and vetted by a qualified security professional.
Once compliance has been achieved, a merchant must recheck systems at least annually and after any change to the software, say PCI DSS standards.
While there may be a lackadaisical attitude to that standard in some quarters now, increasing recognition will make compliance an important competitive advantage for the company that has it, Gibson says.