Interesting article on Mondaq regarding Price of security when it comes to Data Privacy Act, focusing on the recent Nationwide incident involving the potential for data exposed on a lost laptop.
Requires registration
Friday 29 June 2007
Tuesday 26 June 2007
When is a deadline not a deadline?
When it is a PCI Deadline?
Back in April some retailers seemed intent on meeting a deadline for PCI compliance of 30th June 2007. Much was made about the efforts to achieve this and smaller retailers and PSPs followed suit.
Fast Forward virtually two months and the same two retailers are now reigning in their efforts to fast track their PCI efforts because of an easing back on enforcement.
This slowdown could certainly be attributed to an article that appeared on the front page of Computer Weekly in UK.
Card firms ease back on security demands
Credit card issuers have backtracked on demands that retailers and online merchants meet tough new standards to safeguard customer credit card data by the end of June.
Visa admitted this week that deadlines for retailers to comply with the Payment Card Industry Data Security Standard (PCI DSS), which requires firms to adopt a package of security measures, were "unrealistic".
The move follows growing evidence that many retailers are struggling to implement the standards and are unlikely to have their systems fully secured for another one or two years.
Card companies are now limiting their demands to an immediate requirement that retailers put risk mitigation strategies in place to protect their most sensitive data, rather than insisting that all of the standard's criteria are met. Retailers must also be able to prove that they are working towards full compliance.
"Visa and MasterCard agree that risk mitigation is of prime importance and we expect this to be done immediately," said Stanley Skogland, head of policy compliance at Visa Europe. "It does not mean that we do not expect all parts of the standard to be achieved, but we cannot expect miracles overnight."
The PCI DSS was developed in January 2005 by Visa and MasterCard to compel businesses that process payment card data to meet 12 security standards.
But retailers only began to get to grips with the standard last year, following a series of high-profile leaks of confidential credit card data, including the loss of 45 million credit card details from US retailer TJX.
Paul Smith, director of payment systems at the British Retail Consortium, said the deadline was the second to pass without retailers achieving full compliance. He blamed poor communication for the delays.
"Communication was not good in the early days of this programme. Retailers need to know when and how these things need to happen," he said.
Smith added that about 20% of the requirements were still being discussed because "it is not clear what is actually required".
Simon Langley, head of PCI DSS at KPMG, said the reduced focus on the full 12 requirements was sensible given the mixed messages. "Visa and MasterCard agreed on the standard, but compliance has not been standardised," he said.
This could potentially mean a slow down in PCI compliance, at least with the big boys.
Back in April some retailers seemed intent on meeting a deadline for PCI compliance of 30th June 2007. Much was made about the efforts to achieve this and smaller retailers and PSPs followed suit.
Fast Forward virtually two months and the same two retailers are now reigning in their efforts to fast track their PCI efforts because of an easing back on enforcement.
This slowdown could certainly be attributed to an article that appeared on the front page of Computer Weekly in UK.
Card firms ease back on security demands
Credit card issuers have backtracked on demands that retailers and online merchants meet tough new standards to safeguard customer credit card data by the end of June.
Visa admitted this week that deadlines for retailers to comply with the Payment Card Industry Data Security Standard (PCI DSS), which requires firms to adopt a package of security measures, were "unrealistic".
The move follows growing evidence that many retailers are struggling to implement the standards and are unlikely to have their systems fully secured for another one or two years.
Card companies are now limiting their demands to an immediate requirement that retailers put risk mitigation strategies in place to protect their most sensitive data, rather than insisting that all of the standard's criteria are met. Retailers must also be able to prove that they are working towards full compliance.
"Visa and MasterCard agree that risk mitigation is of prime importance and we expect this to be done immediately," said Stanley Skogland, head of policy compliance at Visa Europe. "It does not mean that we do not expect all parts of the standard to be achieved, but we cannot expect miracles overnight."
The PCI DSS was developed in January 2005 by Visa and MasterCard to compel businesses that process payment card data to meet 12 security standards.
But retailers only began to get to grips with the standard last year, following a series of high-profile leaks of confidential credit card data, including the loss of 45 million credit card details from US retailer TJX.
Paul Smith, director of payment systems at the British Retail Consortium, said the deadline was the second to pass without retailers achieving full compliance. He blamed poor communication for the delays.
"Communication was not good in the early days of this programme. Retailers need to know when and how these things need to happen," he said.
Smith added that about 20% of the requirements were still being discussed because "it is not clear what is actually required".
Simon Langley, head of PCI DSS at KPMG, said the reduced focus on the full 12 requirements was sensible given the mixed messages. "Visa and MasterCard agreed on the standard, but compliance has not been standardised," he said.
This could potentially mean a slow down in PCI compliance, at least with the big boys.
Subscribe to:
Posts (Atom)