Too many merchants lack PCI compliance

According to a report issued by SecurityMetrics, storing unencrypted credit card data is an all-too-common practice, and worse, many merchants don’t have a way to eliminate sensitive information from unprotected records.

“Dated technology is incapable of assisting its owner to meet today’s current payment security objectives,” said Brad Caldwell, SecurityMetrics CEO. “If an acquirer or ISO is stuck in a program that doesn’t implement cutting-edge technology, it’s imperative to remodel the program to include updated technologies that increase portfolio value and decrease risk.”

To that end, more than 80% of merchants say they prefer that their business be covered by a breach protection program. Preferably, that includes prevention technology and financial stability tools in the event of a breach. However, this type of breach protection may not be readily available through many merchant processors.

SecurityMetrics, unsurprisingly, recommends PCI technology modernization as a solution to the compliance crisis. Recently developed technologies, including data discovery, threat monitoring and threat prevention tools, are important in successfully achieving PCI compliance. In addition, updated management and compliance tracking tools enable easier program reporting, communication, and management for acquirer and ISO PCI compliance administrators.

The situation is only set to become exacerbated through pressure placed on credit card processing by the move to mobility and cloud-based business processes. In fact, many merchants are turning to payment outsourcing to effectively deal with the technology obsolescence issue. Payment card security standards body, the PCI Security Standards Council (PCI SSC), has released new guidance for merchants using cloud-based systems for customer payment data, urging thorough due diligence for how data is handled both internally and by their cloud services provider.

“Many merchants mistakenly believe that if they outsource everything to a cloud service provider, much of the responsibility goes away for being PCI compliant – unfortunately, that’s simply not the case,” said Bob Russo, general manager at the PCI Security Standards Council, speaking to Infosecurity. “A merchant needs to ensure that a cloud services provider is PCI-compliant not just for its own piece, but for the entire spectrum, including what that provider is specifically doing for the merchant.”

Mobility offers similar struggles for processors. Existing compliance strategies are not necessarily equipped to handle developing trends. Juniper Research predicts mobile transactions will hit $1.3 trillion worldwide by 2015, four times what it is today, as more and more businesses turn to consumer electronic handheld devices (e.g., smartphones and tablets) for payment acceptance. Because these devices are not solely used as point-of-sale (PoS) tools but also to carry out other functions, they introduce new security risks. By design, almost any mobile application could access account data stored in or passing through the mobile device, Juniper noted.

What’s hot on Infosecurity Magazine?