Compliance with the payment card industry (PCI) data security standard is now a reality for every retailer: compliance should be high on every retailer's list of priorities for enterprise security. With this reality comes the need for retailers to fully understand their PCI compliance status through a thorough gap analysis and associated risk assessment.
I D C E X E C U T I V E B R I E F
P C I C o m p l i a n c e - T h e N e w R e a l i t y f o r E u r o p e a n R e t a i l C o m p a n i e s October 2007 Sponsored by Easynet
Ivano Ortis
Executive Overview mo Compliance with the payment card industry (PCI) data security c.c standard is now a reality for every retailer: compliance should be di.w high on every retailer's list of priorities for enterprise security. With ww this reality comes the need for retailers to fully understand their PCI 0 compliance status through a thorough gap analysis and associated 01 risk assessment. 7.7898. Centre-stage for compliance must be a retailer's ICT infrastructure 02. and, in particular, its networking capabilities. Implementing strong 44 data encryption, protecting Web services and establishing a secure +.le network architecture are fundamental to the compliance process. T .K. Early action to establish PCI compliance will go a long way to U , mitigating the risk of financial loss and damage to the retailer's EA4 brand. 4W ,nod Situation Overview noL , PCI demands that every retailer comply with a set of requirements da concerning data networks, security policies and processes. PCI is a oR technical standard of "due care" developed by and agreed on by hgi credit card providers including Visa, MasterCard, Discover Financial H kc Services, JCB and American Express. iwsihC With the latest release of PCI (version 1.1, in September 2006), the 98 payment card industry has targeted cardholder information security 3 , throughout the payment life cycle. As a result, any entity that stores, AE processes or transfers cardholder data is subject to PCI compliance. ME CDI This IDC Executive Brief highlights the reasons why European retailers must achieve PCI compliance. IDC believes security requirements and imminent deadlines provide no other choice for retailers but to abide by the standard. Failure to do so would mean they run the risk of financial loss and damage to their brand.
EB08P Why Retailers Need to Achieve PCI Compliance Payment, a vital function for the retail business, is rapidly evolving into electronic forms that are based on different technologies and transactional channels. The days of paying by cheque, for example, are coming to an end in the UK - cheques accounted for just over 2% of retail turnover in 2006. Also, in a recent worldwide consumer survey by Visa, cash was the preferred type of payment for only 19% of consumers, while 57% opted for credit cards.
In addition, the unstoppable growth of online sales is pushing retailers into a new round of investments in multichannel sales management systems. Responding to this growth, most major payment institutions have already launched dedicated programmes to ensure a secure online shopping experience for consumers.
Going forward into 2008, IDC expects the advent of "contactless" payment technologies to continue this trend, and add to its complexity. For example, Visa Europe planned to launch "Visa payWave" contactless card payments in London starting in the autumn of 2007.
In this rapidly evolving context, PCI provides direct guidance to merchants and service providers with regard to the implementation of best practice. This guidance is aimed at building and maintaining a secure network and information system infrastructure. Focus is on protecting cardholder data through implementing strong access control measures. This protection must be achieved while conforming to a vulnerability management programme and maintaining an information security policy. Overall, PCI DSS includes 12 requirements and 175 subrequirements. Regarding these requirements, IDC emphasises the following:
. PCI DSS requirements - Depending on the number of credit card transactions processed every year by the merchant, PCI DSS mandates specific security requirements, with the strictest rules applied to level 1 merchants (i.e., those that are processing over 6 million transactions a year). Requirement categories include:
ƒ Effective firewall use and the restriction of sensitive information access to a need-to-know basis.
ƒ The encryption of cardholder information transmissions and the protection of st... [download for more]
