UK companies handling credit card data must be compliant with the Payment
Card Industry Data Security Standard (PCI DSS) by 30 June 2007 or face being
dumped by credit card companies.
The deadline had originally been pushed back from 30 June 2006 because of the
introduction of chip-and-pin.
"Chip-and-pin delayed companies becoming PCI compliant because the credit
card companies said that they could not do both at the same time. It's a big
move in the UK market," Jon Shaw, European sales manager at encryption firm
Ingrian,
told
vnunet.com.
Shaw explained that the cost of chip-and-pin had led to the delay. "After
chip-and-pin
Visa,
MasterCard
and
American
Express had a big push on PCI. But a lot of the major retailers were not
particularly happy," he said.
However, Ingrian maintained it is unlikely that the deadline will be pushed
back again.
"It is possible that the deadline could shift, but it is not probable," said
Erich Baumgartner, vice president of sales and marketing at Ingrian.
Baumgartner explained that the PCI standard is made up of 12 or 13 different
criteria, 10 of which are technologies that a lot of companies already have in
place.
"They can show the auditor that they are using their intrusion detection
systems this way, they are using their firewalls that way and they have virtual
private networks so that information is encrypted in transit," he said.
"But the big gap is that nobody has been deploying encryption to secure that
sensitive data when it is at rest."
Do you agree?
Have your say on this article