Share

Related Stories

Top 5 Stories

News

Too many merchants lack PCI compliance

19 February 2013

Many merchants are failing to meet compliance with the Payment Card Industry Data Security Standard (PCI DSS), putting users’ credit card data at risk. But the issue isn't complacency, but rather obsolescence: too many stores and restaurants are in desperate need of equipment upgrades.

According to a report issued by SecurityMetrics, storing unencrypted credit card data is an all-too-common practice, and worse, many merchants don’t have a way to eliminate sensitive information from unprotected records.

“Dated technology is incapable of assisting its owner to meet today’s current payment security objectives,” said Brad Caldwell, SecurityMetrics CEO. “If an acquirer or ISO is stuck in a program that doesn’t implement cutting-edge technology, it’s imperative to remodel the program to include updated technologies that increase portfolio value and decrease risk.”

To that end, more than 80% of merchants say they prefer that their business be covered by a breach protection program. Preferably, that includes prevention technology and financial stability tools in the event of a breach. However, this type of breach protection may not be readily available through many merchant processors.

SecurityMetrics, unsurprisingly, recommends PCI technology modernization as a solution to the compliance crisis. Recently developed technologies, including data discovery, threat monitoring and threat prevention tools, are important in successfully achieving PCI compliance. In addition, updated management and compliance tracking tools enable easier program reporting, communication, and management for acquirer and ISO PCI compliance administrators.

The situation is only set to become exacerbated through pressure placed on credit card processing by the move to mobility and cloud-based business processes. In fact, many merchants are turning to payment outsourcing to effectively deal with the technology obsolescence issue. Payment card security standards body, the PCI Security Standards Council (PCI SSC), has released new guidance for merchants using cloud-based systems for customer payment data, urging thorough due diligence for how data is handled both internally and by their cloud services provider.

“Many merchants mistakenly believe that if they outsource everything to a cloud service provider, much of the responsibility goes away for being PCI compliant – unfortunately, that’s simply not the case,” said Bob Russo, general manager at the PCI Security Standards Council, speaking to Infosecurity. “A merchant needs to ensure that a cloud services provider is PCI-compliant not just for its own piece, but for the entire spectrum, including what that provider is specifically doing for the merchant.”

Mobility offers similar struggles for processors. Existing compliance strategies are not necessarily equipped to handle developing trends. Juniper Research predicts mobile transactions will hit $1.3 trillion worldwide by 2015, four times what it is today, as more and more businesses turn to consumer electronic handheld devices (e.g., smartphones and tablets) for payment acceptance. Because these devices are not solely used as point-of-sale (PoS) tools but also to carry out other functions, they introduce new security risks. By design, almost any mobile application could access account data stored in or passing through the mobile device, Juniper noted.

This article is featured in:
Compliance and Policy  •  Encryption  •  Identity and Access Management  •  Industry News  •  Internet and Network Security  •  Wireless and Mobile Security

 

Comments

3Dmerchant says:

26 February 2013
"storing unencrypted credit card data is an all-too-common practice"- I totally agree, I find instances regularly with businesses I talk to.
"Worse, many merchants don’t have a way to eliminate sensitive information from unprotected records." Who's fault is that? Merchants need to take responsibility for their actions- or lack of searching for one. One of the highest non-compliance types I encounter is companies who want to charge a stored payment method 'on demand' for repeat purchases. Other poor reasons are, 'we wait for the transaction to clear our bank', and in the rental market, 'we wait until the item has been returned and inspected'. Authorize.net, Braintree, and CenPOS are just a few examples of technology solutions that can eliminate storing unencrypted credit card data.
Merchants are mistaken if they think breach protection is going to help them if they have a file drawer full of 'fax authorization forms' with full card data.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×