Credit card companies will pull the plug on non-compliant retailers
UK firms face credit card security deadline
/v3-uk/news/1990493/uk-firms-credit-card-security-deadline
29 Sep 2006, Matt Chapman , V3
UK companies handling credit card data must be compliant with the Payment Card Industry Data Security Standard (PCI DSS) by 30 June 2007 or face being dumped by credit card companies.
The deadline had originally been pushed back from 30 June 2006 because of the introduction of chip-and-pin.
"Chip-and-pin delayed companies becoming PCI compliant because the credit card companies said that they could not do both at the same time. It's a big move in the UK market," Jon Shaw, European sales manager at encryption firm Ingrian, told vnunet.com.
Shaw explained that the cost of chip-and-pin had led to the delay. "After chip-and-pin Visa, MasterCard and American Express had a big push on PCI. But a lot of the major retailers were not particularly happy," he said.
However, Ingrian maintained it is unlikely that the deadline will be pushed back again.
"It is possible that the deadline could shift, but it is not probable," said Erich Baumgartner, vice president of sales and marketing at Ingrian.
Baumgartner explained that the PCI standard is made up of 12 or 13 different criteria, 10 of which are technologies that a lot of companies already have in place.
"They can show the auditor that they are using their intrusion detection systems this way, they are using their firewalls that way and they have virtual private networks so that information is encrypted in transit," he said.
"But the big gap is that nobody has been deploying encryption to secure that sensitive data when it is at rest."
Shaw said that one of the biggest challenges for companies looking to use encryption is to discover exactly where the data resides on their systems before they can deal with it.
Companies handling four million transactions or more per annum will face annual audits. Any company below that level has to go through the equivalent of a self-assessment process and become self-certified to the standard.
"If they have a breach and they are found to have self-certified when they are not in compliance, Visa, Amex or whoever will pull the plug on them and say that they did not play the game," said Shaw.
The British Retail Consortium estimates that credit card fraud cost UK retailers £2.2bn in 2005.
Shaw and Baumgartner were speaking at the launch of Ingrian's i110 DataSecure product line which attaches to a network and stores encryption keys centrally.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Half-Way
It's needed something more here. We're half way, only.
Bogus webshops with scanned credit card company logos will still lure people in a rocketing way.
Spread of Identities won't be stopped by PCI solutions. It's not just eShopper who is criminal. There are criminal vendors, criminal staff at honest vendors/web portals/at PSPs and brute force is still an ongoing method to steal valid credit card not to forget spywares in eShopper computer.
Moreover, encryption SSL-128 is already compromised and thats published.
We must assemble our techniques to the Sources and start considering the fact that to becoming a criminal eShopper one must steal the Identity in the first run. When its already stolen it's in my opinion very late for actions. An analogue: Pain in our hands can be cured by Aspirin. Better is to do something to the wooden piece stuck into hand.
Posted by William Palmborg, SecuraCharge, 29 Sep 2006