Security research and development company Security-Assessment.com has validated Payment Card Industry (PCI) compliance for New Zealand internet transaction company Direct Payment Solutions (DPS).
In an effort to minimise fraud, credit card companies Visa, Mastercard, American Express, Discover and JCB International are jointly enforcing the PCI Data Security Standards (PCI DSS) on large-scale merchants and banks to begin with, then progressively on smaller organisations.
The standards mandate such practices as installing firewalls, encrypting confidential information such as card numbers in transit and not retaining transaction details in a merchant’s system for longer than necessary
DPS provides the Payment Express suite of credit card and Eftpos processing services. It claims to be one of the first companies in the region to achieve PCI DSS compliance and values it as a competitive advantage over its rivals, says infrastructure manager Jonathan Boucher.
Some sources in the card services and equipment sector have expressed surprise at the slowness with which merchants and card-processors are becoming compliant (Computerworld, April 13), but there has also been some scepticism internationally about the practical effectiveness of the standards.
Some US merchants have achieved compliance, but when reassessed after a fraudulent transaction may have become non-compliant through a change in their practices or inadequate policy enforcement.
To remain compliant, companies need to be reassessed annually and meetings should be held more frequently to discuss continued compliance, particularly in the wake of any change in practices, software or hardware, says Dean Carter, the Security-Assessments PCI consultant in charge of the DPS assessment.
Boucher declined to discuss the challenge of continued PCI compliance.
“I’m not there to help people tick boxes,” Carter emphasises. The best approach is to develop a strong security policy independent of the compliance need.
“No standard is ever really going to be able to keep up with the changing environment,” he says. “It’s our job to make our clients secure, and PCI compliance will fall out of that.”
The PCI standard has already been revised to cope with such innovations as wi-fi networks and the growing use of laptops, Carter says.
The PCI Security Standards Council, ruling body for the standards, currently has a working party dealing with the implications of virtualisation.
Most local companies Computerworld has questioned about their compliance, including major banks, are more reticent than DPS on the subject.
Carter declines to disclose the exact number of companies Security-Assessments has helped to full compliance.
“It’s a handful or two,” he says, adding that many more have consulted with the company with a view to improving their security, or have been assisted in a process of self-assessment.