Webtrends Tracking Code
 
UK Home >  OUT-LAW News >  News Archive >  2008 >  October 2008 >  Credit card firms order change to wireless security in shops

Credit card firms order change to wireless security in shops

OUT-LAW News, 03/10/2008

Retailers will have to change the wireless security they use for payment systems from April of next year. The body which sets the requirements for such systems has announced a mandatory improvement in wireless security.

Advert: free OUT-LAW Breakfast Seminars - 1. Making your contract work: pitfalls and best practices; 2. Transferring data: the information security issuesAn upgraded set of standards has been published by the body which was formed by credit card issuers to provide the rules governing the use of their cards. The latest version of the Payment Card Industry Data Security Standard (PCI DSS) will ban new systems from using a certain kind of security from next April.

Retailers conforming to PCI DSS will not be able to use Wireless Equivalent Privacy (WEP) security systems on new systems from April 2009. All such systems must be replaced by June 2010 if retailers are going to be able to claim to be compliant with the PCI DSS standard.

The PCI Security Standards Council (PCI SSC), the body which operates the standards, has published version 1.2 of the standard, which will immediately replace version 1.1. Version 1.1 will fall out of use completely on 31st December 2008, it said.

The new version of the standard does not introduce any major new principles, the PCI SSC said, but the security changes it makes are important.

The PCI SSC was established in 2006 and it said that the current revisions are the result of industry response to earlier version. It said that its aim is to revise the standard every two years.

"It is especially gratifying to know that version 1.2 of the PCI DSS is inclusive of global industry feedback," said Bob Russo, general manager of the PCI SSC. "This ensures that we continue to offer merchants and service providers a pathway to protect cardholder account data that is sensible and achievable."

PCI SSC demands that companies processing its members' cards are compliant with its standards. Those who are not compliant risk being fined or even losing their ability to process payments at all.

Companies are required to submit to audits of their compliance by approved consultancies, though small businesses with fewer than 80,000 transactions a year can self-assess.

A PCI SSC deadline for implementing additional security to protect card data fell at the end of
June this year, but experts said that a large proportion of retailers failed to meet it.

The principles of the PCI DSS include the requirement to build secure networks, keep customer data safe, control access to the network and maintain effective information security.
PCI SSC members include Visa, Mastercard and American Express.

See: The standard

See also: Many online retailers miss security deadline, OUT-LAW News, 08/07/2008

 

OUT-LAW Recommends

Free OUT-LAW seminars
- Making your contract work
- Information security
Six cities, October & November

This week's podcast
Top EU court changes web contact rules

Winner at 2008 Webby Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.