The Payment Card Industry Data Security Standard (PCI DSS)
demands that people processing credit cards use a new firewall to
protect their processing or have their software reviewed to ensure
it is safe from hacks and fraud.
The PCI, which is an industry body formed by the major credit
card issuers, imposed a deadline of 30th June for implementation of
the protection, but many security industry observers say that the
deadline has been missed by a large number of retailers.
"It would be fair to say that there is still a lot of work to be
done by retailers and others on getting up to scratch," said
William Malcolm, a data protection expert at Pinsent Masons, the
law firm behind OUT-LAW. "Industry leaders have done much to
publicise the requirements but progress has been slow."
Consultancy Gartner has told Computerworld that most of its
clients were not ready for the deadline, and that most companies
are far behind in the process of compliance.
PCI DSS is a set of standards developed from card issuers'
individual security programmes and was adopted in 2006 by PCI. The
deadline was set by PCI to ensure that retailers would implement
systems that were secure in the face of known vulnerabilities and
hacks.
PCI insists that those processing its members' cards are
compliant with its standards and those who are not compliant risk
being fined or even losing their ability to process payments at
all.
Companies are required to submit to audits of their compliance
by approved consultancies, though small businesses with fewer than
80,000 transactions a year can self-assess.
Malcolm said that the PCI requirements should force companies to
examine their security measures.
"It will require organisations to take a detailed look at their
existing IT and management infrastructures and ensure that they
meet the rules," he said. "Those people processing primary account
numbers, the 16 digit card numbers, in relation to payment systems
would be well advised to check with the PCI to see if they are
covered by the PCI DSS requirements."
The requirements demand that any applications open to the
internet are protected against existing attacks either by
completing a review of their code to test for vulnerabilities or by
employing an application level firewall for the system.
The standard demands that companies do not simply use vendor-set
defaults for any firewall systems and that they restrict access to
card data only to those who absolutely need access to it.
