|
PCI demands that every retailer comply with a set of requirements concerning data networks, security policies and processes. PCI is a technical standard of "due care" developed by and agreed on by credit card providers including Visa, MasterCard, Discover Financial Services, JCB and American Express.
With the latest release of PCI (version 1.1, in September 2006), the payment card industry has targeted cardholder information security throughout the payment life cycle. As a result, any entity that stores, processes or transfers cardholder data is subject to PCI compliance. This IDC Executive Brief highlights the reasons why European retailers must achieve PCI compliance. IDC believes security requirements and imminent deadlines provide no other choice for retailers but to abide by the standard. Failure to do so would mean they run the risk of financial loss and damage to their brand.
Why Retailers Need to Achieve PCI Compliance
Payment, a vital function for the retail business, is rapidly evolving into electronic forms that are based on different technologies and transactional channels. The days of paying by cheque, for example, are coming to an end in the UK — cheques accounted for just over 2% of retail turnover in 2006. Also, in a recent worldwide consumer survey by Visa, cash was the preferred type of payment for only 19% of consumers, while 57% opted for credit cards.
In addition, the unstoppable growth of online sales is pushing retailers into a new round of investments in multichannel sales management systems. Responding to this growth, most major payment institutions have already launched dedicated programmes to ensure a secure online shopping experience for consumers. Going forward into 2008, IDC expects the advent of "contactless" payment technologies to continue this trend, and add to its complexity. For example, Visa Europe planned to launch "Visa payWave" contactless card payments in London starting in the autumn of 2007.
In this rapidly evolving context, PCI provides direct guidance to merchants and service providers with regard to the implementation of best practice. This guidance is aimed at building and maintaining a secure network and information system infrastructure. Focus is on protecting cardholder data through implementing strong access control measures. This protection must be achieved while conforming to a vulnerability management programme and maintaining an information security policy. Overall, PCI DSS includes 12 requirements and 175 subrequirements. Regarding these requirements, IDC emphasises the following:
- PCI DSS requirements — Depending on the number of credit card transactions processed every year by the merchant, PCI DSS mandates specific security requirements, with the strictest rules applied to level 1 merchants (i.e., those that are processing over 6 million transactions a year). Requirement categories include:
__ Effective firewall use and the restriction of sensitive information access to a need-to-know basis.
__ The encryption of cardholder information transmissions and the protection of stored sensitive data.
__ The development of Web applications based on secure coding guidelines such as the Open Web Application Security Project (OWASP).
__ Onsite audits, quarterly network scans and the tracking and monitoring of all access to network resources. For example, a level 1 merchant needs to submit an annual report on compliance, validated by an approved independent auditor. PCI DSS deadlines — Compliance deadlines are set by each credit card provider and are usually region specific — in individual regions, global retailers might find differing rules and deadlines, for example. In Europe, a slower pace towards PCI compliance has been seen so far when compared to the US. This is not only due to the stronger push to PCI being made by Visa USA, but also by state regulations that are embedding PCI best practices into local legislation. In this regionally diverse context, we see that credit card providers have realistic expectations for Europe, considering that the percentage of retailers that are currently PCI compliant is fairly low. Some degree of flexibility may apply to the following formally announced deadlines:
__ UK companies handling credit card data were required to be compliant with PCI DSS by June 30, 2007. As of today, it appears that only a small percentage of merchants in the UK are PCI compliant, but most companies are reporting actual plans to achieve compliance in the short term. Still, a significant minority has not yet started this journey.
|
