Treat card data like cash, businesses warned

UK businesses put themselves at risk of fraud by failing to put the same level ofsecurity around credit and debit card data as they use for cash.

“Many businesses still do not view card payment data as cash in hand, which it is,” Connie Penn who chairs the Forum for Chip and Pin for the hospitality industry and manages the Payment Card Industry Data Security Standard (PCI DSS) programme for the Post Office.

No company would move cash without physical security, but many still question the need to encrypt card data, she said.

“It fascinates me that they do not see card data as cash, and yet it is. Every merchant employs tight business practices around their cash, but they don’t do the same with card data.”
This needs to change, particularly as the number of card-based transactions continue to increase, she said, making it more important than ever for merchants to follow best practices in the PCI DSS.

According to Penn, the latest version of the PCI DSS, released on 8 October, is much easier to use than previous versions.

“Version 1.2 provides greater consistency and removes a lot of the ambiguity that was causing difficulty,” she said.

Penn is to run through the details of each of the standard’s redrafted 12 requirements with members of business IT user group the Corporate IT Forum, in London on 30 October.

“My message will be that there is nothing to fear because the good news about version 1.2 is that it gives a lot more clarity on what businesses must do to conform to the standard,” she said.

Version 1.2 clarifies, for example, that all operating systems used for card payment processing must run anti-virus software, and not just Microsoft Windows as many users had thought.

The new version also gives a clear cut off date for switching from the Wired Equivalent Privacy (WEP) security algorithm for wireless networks to the stronger Wi-Fi Protected Access (WPA) standard.

No new WEP implementations will be allowed from 31 March 2009, and the use of WEP wireless networks must be discontinued by 30 June 2010.

These are two of the two most important of the 100-plus clarifications and explanations that Penn is to discuss at the Corporate IT Forum workshop later this month.

It will be another two years before another version of the standard is released, but the PCI Security Standards Council will publish best practice guidelines as threats emerge.

In the coming year, for example, the council is to set up special interest groups to discuss what should be done to protect virtual machines used in processing card payments.

“These discussions will result in best practices based on consultation with all the stakeholders before they are mandated in future versions of the standard,” said Penn.

More at