Out-Law / Your Daily Need-To-Know
Out-Law News 1 min. read
Credit card firms order change to wireless security in shops
03 Oct 2008, 2:07 pm
Retailers will have to change the wireless security they use for payment systems from April of next year. The body which sets the requirements for such systems has announced a mandatory improvement in wireless security.
An upgraded set of standards has been published by the body which was formed by credit card issuers to provide the rules governing the use of their cards. The latest version of the Payment Card Industry Data Security Standard (PCI DSS) will ban new systems from using a certain kind of security from next April.
Retailers conforming to PCI DSS will not be able to use Wired Equivalent Privacy (WEP) security systems on new systems from April 2009. All such systems must be replaced by June 2010 if retailers are going to be able to claim to be compliant with the PCI DSS standard.
The PCI Security Standards Council (PCI SSC), the body which operates the standards, has published version 1.2 of the standard, which will immediately replace version 1.1. Version 1.1 will fall out of use completely on 31st December 2008, it said.
The new version of the standard does not introduce any major new principles, the PCI SSC said, but the security changes it makes are important.
The PCI SSC was established in 2006 and it said that the current revisions are the result of industry response to earlier version. It said that its aim is to revise the standard every two years.
"It is especially gratifying to know that version 1.2 of the PCI DSS is inclusive of global industry feedback," said Bob Russo, general manager of the PCI SSC. "This ensures that we continue to offer merchants and service providers a pathway to protect cardholder account data that is sensible and achievable."
PCI SSC demands that companies processing its members' cards are compliant with its standards. Those who are not compliant risk being fined or even losing their ability to process payments at all.
Companies are required to submit to audits of their compliance by approved consultancies, though small businesses with fewer than 80,000 transactions a year can self-assess.
A PCI SSC deadline for implementing additional security to protect card data fell at the end of
June this year, but experts said that a large proportion of retailers failed to meet it.
The principles of the PCI DSS include the requirement to build secure networks, keep customer data safe, control access to the network and maintain effective information security.
PCI SSC members include Visa, Mastercard and American Express.
