payments - Retail Systems
payments - Retail Systems
payments - Retail Systems
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
RS<br />
30 RS June - July 2012<br />
supplement PCI DSS<br />
Underlying risk<br />
Many retailers find the requirements for PCI compliance confusing. But even<br />
more worryingly there are some who adopt a ‘tick box’ approach rather than<br />
addressing real security issues, writes Liz Morrell<br />
Any retailer that takes card <strong>payments</strong> must comply<br />
with the Payment Card Industry Data Security Standards<br />
(PCI DSS) or risk hefty fines. But many feel that the<br />
PCI standards, which comprise a list of 12 requirements covering<br />
both technology and business processes and procedures<br />
surrounding the electronic or manual storage, processing or<br />
transmission of cardholder information, are confusing and<br />
therefore difficult to adhere to. Especially as there are also<br />
different levels of compliance according to the size of a<br />
retail business.<br />
And although the current version of the standard, which is<br />
updated in three yearly cycles, has been in place since October<br />
2010 there have been minor enhancements which retailers have<br />
to keep on top of – for example the announcement in January<br />
of an internal vulnerability assessment which comes into force<br />
at the end of this month and must be completed on a quarterly<br />
basis as well as the necessity for payment applications to also be<br />
compliant with the standard at the same time.<br />
Acquiring banks now have a bigger focus than ever on PCI<br />
compliance and are imposing monthly fines to spur retailers into<br />
achieving compliance.<br />
“The acquirer is tending to give quarterly reports back to<br />
the card schemes who are imposing monthly fines and can also<br />
charge higher transaction charges of retailers because they<br />
view them as an increased threat,” says Robin Adams, director<br />
of security, fraud and risk management at The Logic Group<br />
and also a QAS (qualified assessor) for PCI DSS.<br />
Solution explosion<br />
The stricter enforcement has led to an explosion in technology<br />
vendors rushing to market with PCI solutions and that in itself<br />
can be confusing.<br />
A number of solutions are becoming popular, including<br />
point-to-point encryption (P2Pe), tokenisation and outsourcing.<br />
“Many retailers are now looking at point-to-point encryption<br />
(P2Pe) and tokenisation as potential ways to minimise their<br />
PCI requirements – taking legacy environments out of scope<br />
can dramatically reduce the effort and cost involved,” says a<br />
spokesman for VeriFone.<br />
“For others, who want to reduce the PCI burden even<br />
further, opting for a ‘Payments as a Service’ which involves a<br />
third party managing the entire <strong>payments</strong> process, can offer a<br />
cost-effective and less-disruptive route to PCI.”<br />
Tony Hammond, product director at Torex, says the ultimate<br />
protection is from using P2PE in conjunction with tokenisation.<br />
“Point to point encryption (P2PE) utilising hardware based<br />
encryption used in conjunction with a tokenisation process not<br />
only secures data but can mitigate up to 70 per cent of PCI<br />
controls,” he says.<br />
Graham Thompson, sales and marketing director at<br />
Semafone, saysremoving card data from retail environmentscan<br />
provide big savings. “As decryption keys are not available to<br />
the merchant this encrypted data can cross their networks<br />
without bringing them into scope for PCI DSS.This can then save<br />
merchants millions of pounds of cost in not having to secure<br />
their networks and information systems to the standard of PCI<br />
DSS,” he says.<br />
Tim Allitt, sales and marketing director at independent<br />
payment processor SecureTrading, says in the world of<br />
e-commerce payment service providers (PSPs) need to help<br />
retailers by giving them different options to help them become<br />
PCI compliant based on the merchant’s requirements.<br />
“For example for small to medium enterprises or larger<br />
companies who prefer to outsource, a hosted payment page<br />
is ideal. The PSP hosts the relevant website page on their own<br />
PCI DSS compliant server. Card data gets captured, transmitted<br />
and stored by the PSP and all the retailer has to do is fill out a<br />
simple self-assessment questionnaire to become compliant, with<br />
no technical work involved for them,” he says. The Logic Group’s<br />
Adams believes that the stricter enforcement of PCI DSS has<br />
come as somewhat of a surprise after its introduction way back<br />
in 2004.<br />
<strong>Retail</strong>er’s concerns<br />
“<strong>Retail</strong>ers in general find it far more rigorous than they<br />
expected. They find it onerous which is why a lot are<br />
outsourcing it because it’s easier as in a lot of cases merchants<br />
would have to make significant changes to their infrastructure,”<br />
he says. This was a concern for Debenhams when it began a<br />
programme to achieve PCI DSS compliance in 2008.