payments - Retail Systems

Recommendations

Info

RS 30 RS June - July 2012 supplement PCI DSS Underlying risk Many retailers find the requirements for PCI compliance confusing. But even more worryingly there are some who adopt a ‘tick box’ approach rather than addressing real security issues, writes Liz Morrell Any retailer that takes card payments must comply with the Payment Card Industry Data Security Standards (PCI DSS) or risk hefty fines. But many feel that the PCI standards, which comprise a list of 12 requirements covering both technology and business processes and procedures surrounding the electronic or manual storage, processing or transmission of cardholder information, are confusing and therefore difficult to adhere to. Especially as there are also different levels of compliance according to the size of a retail business. And although the current version of the standard, which is updated in three yearly cycles, has been in place since October 2010 there have been minor enhancements which retailers have to keep on top of – for example the announcement in January of an internal vulnerability assessment which comes into force at the end of this month and must be completed on a quarterly basis as well as the necessity for payment applications to also be compliant with the standard at the same time. Acquiring banks now have a bigger focus than ever on PCI compliance and are imposing monthly fines to spur retailers into achieving compliance. “The acquirer is tending to give quarterly reports back to the card schemes who are imposing monthly fines and can also charge higher transaction charges of retailers because they view them as an increased threat,” says Robin Adams, director of security, fraud and risk management at The Logic Group and also a QAS (qualified assessor) for PCI DSS. Solution explosion The stricter enforcement has led to an explosion in technology vendors rushing to market with PCI solutions and that in itself can be confusing. A number of solutions are becoming popular, including point-to-point encryption (P2Pe), tokenisation and outsourcing. “Many retailers are now looking at point-to-point encryption (P2Pe) and tokenisation as potential ways to minimise their PCI requirements – taking legacy environments out of scope can dramatically reduce the effort and cost involved,” says a spokesman for VeriFone. “For others, who want to reduce the PCI burden even further, opting for a ‘Payments as a Service’ which involves a third party managing the entire payments process, can offer a cost-effective and less-disruptive route to PCI.” Tony Hammond, product director at Torex, says the ultimate protection is from using P2PE in conjunction with tokenisation. “Point to point encryption (P2PE) utilising hardware based encryption used in conjunction with a tokenisation process not only secures data but can mitigate up to 70 per cent of PCI controls,” he says. Graham Thompson, sales and marketing director at Semafone, saysremoving card data from retail environmentscan provide big savings. “As decryption keys are not available to the merchant this encrypted data can cross their networks without bringing them into scope for PCI DSS.This can then save merchants millions of pounds of cost in not having to secure their networks and information systems to the standard of PCI DSS,” he says. Tim Allitt, sales and marketing director at independent payment processor SecureTrading, says in the world of e-commerce payment service providers (PSPs) need to help retailers by giving them different options to help them become PCI compliant based on the merchant’s requirements. “For example for small to medium enterprises or larger companies who prefer to outsource, a hosted payment page is ideal. The PSP hosts the relevant website page on their own PCI DSS compliant server. Card data gets captured, transmitted and stored by the PSP and all the retailer has to do is fill out a simple self-assessment questionnaire to become compliant, with no technical work involved for them,” he says. The Logic Group’s Adams believes that the stricter enforcement of PCI DSS has come as somewhat of a surprise after its introduction way back in 2004. Retailer’s concerns “Retailers in general find it far more rigorous than they expected. They find it onerous which is why a lot are outsourcing it because it’s easier as in a lot of cases merchants would have to make significant changes to their infrastructure,” he says. This was a concern for Debenhams when it began a programme to achieve PCI DSS compliance in 2008.
Aqil Nasser, Debenhams’ technical architecture controller, says the retailer wanted an all-encompassing solution to avoid having to undergo a complete overhaul of its IT infrastructure which comprised a mix of systems. “We wanted a solution from a single provider that would protect credit cards from the point-of-sale through our back-end decision support systems, including our merchandising data warehouse and processing systems,” he says. The retailer eventually chose a tokenisation solution fromLiaisonTechnologies which Nasser claims reduced programming and hardware costs as well as storage costs. “Because of its ability to run on all of our systems non-intrusively, we were able to meet all PCI DSS encryption requirements with minimal effort,” he says. Mikko Soirola, VP European sales for Liaison Technologies, says tokenisation is an increasingly popular solution for cardholder data protection. “This advanced form of encryption is a process of replacing sensitive data with surrogate values, or tokens, that can be used within company systems, but not outside of it. Therefore, like a gambling chip in a casino, the data has no value when it is taken from its intended location. The benefits of using tokens include protecting staff and significantly reducing the need to reengineer installed systems – further reducing costs.” With so many solutions Soirola says retailers should be asking questions of their providers such as How does your solution address the PCI-DSS compliance and scope of audits? How do you ensure my existing business processes, workflows and systems can continue operating whilst you implement the solution and can you offer me any benefits of PII data security when I move into this phase of my compliance journey? Of course retailers as well as completing their own selfassessment questionnaire (SAQ) or undergoing an audit by a QSA (Qualified Security Assessor) should also ensure their providers are PCI compliant asking suppliers to provide their certificate of compliance or checking approved suppliers against lists from MasterCard and Visa. “Vendors should have a PA DSS (Payment Application Data Security Standards) Certificate that proves their application has been audited by a Qualified Security Assessor (QSA) and Service Providers should have a Level 1 Service Provider Certificate again signifying that they have been audited by a QSA and that their service is PCI DSS compliant,” says Semafone’s Thompson. PCI compliance remains a complicated and costly process. “Retailers are starting to appreciate the reputational damage but there is no link to profits. The success is you don’t suffer security breaches,” says The Logic Group’s Adams. But Neira Jones, head of payment security at Barclaycard, says it is being taken more seriously be retailers. “Four years ago when I would do a presentation on this I would get an interested or semi-interested audience of IT managers. Now in 2012 I talk to finance directors, governance and risk directors PCI DSS supplement and marketing and PR and legal managers because it has wide implications. There is definitely more awareness and knowledge but we do need to move forward more,” she says citing smaller companies as being particularly at risk. ‘Tick box’ compliance Andrew Henwood, director at Foregenix, says there is a worrying trend in SMEs. “It is fair to say the smaller the merchant, unfortunately, the less likely they are to be working towards compliance. A “tick-box compliance” attitude is becoming prevalent. i.e. compliance for the sake of satisfying quotas rather than addressing the actual underlying risk,” he says. But the managing director of one such retail business, who asked not to be named, agrees: “Ultimately you only have to say you are compliant not be compliant. For small businesses the ambition is to ensure you are not being charged for not being compliant,” he says. PCI compliance is a necessity but one that still more could be done to simplify the process according to Clive Kahn, CEO of CardSave: “Frustratingly all too frequently banks relay the message of PCI compliance in a manner that makes it unpalatable for the businesses to which it applies. Traditionally steeped in complex terminology and elaborate acronyms, compliance has been seen as little more than a paper shuffling exercise and, for smaller retailers in particular, one that distracts from their core business activity,” he says. If achieving true PCI compliance is really the goal there still seems be more than can be done to help retailers. RS June -July 2012 RS 31
Page 1 and 2: Sponsored by awards Celebrating Inn
Page 3 and 4: FIRST CHOICE FOR TECHNOLOGY PURCHAS
Page 5 and 6: RS Editor Karen Moss karen.moss@ret
Page 7 and 8: Standing the test of time A Traditi
Page 9 and 10: Click & Collect elsewhere John Lewi
Page 11 and 12: FOCUS Retail systems multi-channel
Page 13 and 14: challenge against LoveFilm although
Page 15 and 16: Maximise your online revenues by bl
Page 17 and 18: A breathe of fresh air Casio’s ne
Page 19 and 20: Continental style Retail Systems fi
Page 21 and 22: at a glance MAY PayPal’s 15 milli
Page 23 and 24: thoughts from the frontline With th
Page 25 and 26: SBU, Wipro Technologies, says: “W
Page 27 and 28: contents 26..... Underlying risk Mo
Page 29 and 30: “A more convenient token based on
Page 31: strategies, says Richard Paterson,
Page 35 and 36: you’re looking for. So, this is i
Page 37 and 38: environment. Anyone who is a servic
Page 39 and 40: GT: So you’ve got the token, you
Page 41 and 42: soapbox During a time of economic s
Page 43 and 44: While facial recognition technology
Page 45 and 46: type solution within its armoury th
Page 47 and 48: Unpredictable weather patterns are
Page 49 and 50: A subscription to Retail Systems gu
Page 51 and 52: Imagine the scenario - a young fema
Page 53 and 54: Don’t miss out To be kept up-to-d
Page 55 and 56: direct commerce software D I R E C
Page 57 and 58: D I R E C T O R Y O F K E Y P L A Y
Page 59 and 60: D I R E C T O R Y O F K E Y P L A Y
Page 61 and 62: Keith Bird is CEO of e-commerce pla
Page 63 and 64: The Fifth Annual Retail Systems Mul

payments - Retail Systems

Create successful ePaper yourself

Delete template?

Save as template?