The Information Commissioner's Office (ICO) said that online retailers that fail to process payment information in accordance with the Payment Card Industry Data Security Standard (PCI DSS) "or provide equivalent protection when processing customers' credit card details" risk action being taken against them.
PCI DSS is the main standard related to storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions. The standard was established by the PCI Security Standard Council which comprises major payment card brands including American Express, Visa and MasterCard.
Under UK data protection laws the ICO has the power to fine organisations up to £500,000 for serious breaches of the laws which govern the protection of personal data. UK organisations that store personally identifiable information must adhere to certain principles, which include ensuring that data is not accidentally lost or damaged and is properly secure, under the provisions of the Data Protection Act.
The ICO issued its warning after finding that website hackers had been able to access the credit card information of 5,000 consumers that had shopped with cosmetics retailer Lush. The ICO said the data was "compromised" for four months between October last year and January 2011.
Lush received 95 complaints from customers who had been victims of fraud. It identified a "security lapse" in January this year and immediately restored the website's security, the ICO said.
An ICO investigation found that measures Lush employed to secure customers' payment details were "not sufficient to prevent a determined attack on their website". The retailer's methods for recording suspicious activity were not adequate either and this meant there was a delay in the time it took the company to spot that its security had been breached, the ICO said.
“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals," Sally Anne Poole, Acting Head of Enforcement at the ICO, said in a statement.
“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back," Poole said.
"This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times,” Poole said.
Lush has signed undertakings to limit the payment data it stores to "the minimum amount" necessary and has committed to delete the information when it becomes no longer necessary to keep, the ICO said.
An external company, which complies with the PCI DSS, will manage the future payments to Lush and the cosmetics firm "will also make sure that appropriate technical and organisational measures are employed and maintained", the ICO said.