Australian retailers are sluggishly adopting credit card security standards, according to Citrix chief security officer, Kurt Roemer, but competing standards and proposed amendments to the Privacy Act will cause even greater confusion for them.
PCI DSS (Payment Card Industry Data Security Standard) is a set of 12 requirements for securing credit card information whenever it is stored, processed or transmitted by a merchant. The industry-wide effort is aimed at reducing credit card fraud.
The standard covers basic aspects of security such as firewalls, passwords, data storage protection, antivirus and encryption, and were originally developed by Visa before being adopted late last year by all of the major credit card providers including Mastercard and American Express.
Roemer said that Australian retailers remain "behind the rest of the world" in terms of awareness and adoption of the PCI DSS standard -- a task the PCI Standards Council has handed to banks, which regulate it on a contractual basis with merchants.
However Roemer said there "doesn't appear to be an acceptable level of awareness" in Australia.
This is despite credit card companies providing both incentives for PCI-compliant customers and penalties for those merchants that haven't made the effort.
Incentives include savings on the transaction rates offered by the credit card companies. Penalties for those companies that are not compliant include unfavourable transaction rates and the levying of fines of up to AU$50,000.
Roemer said credit card issuers in other countries, such as banks, have made direct contact with merchants to warn them of the consequences -- but he doubts such an effort has been made in Australia.
Conflicting standards confuse retailersRetailers can expect the challenge to comply with payment card security standards to become more complex in the near future.
According to Ajoy Ghosh, a security executive with Logica CMG, planned amendments to the Commonwealth Privacy Act as well as Visa's announcement of new security standards for card payment software used by merchants will add further complexity for merchant compliance.
"There is a new scenario emerging. Visa have sponsored another organisation which have come up with PA DSS [Payment Application Data Security Standard]. Visa is now requiring Visa merchants to comply with that," said Ghosh.
"On top of that, [proposed] amendments to the Privacy Act broadly extend the scope of 'personal data' to include IP and e-mail addresses. On the other hand PCI DSS and PA DSS require merchants to keep certain things such as originating IP addresses, yet under the privacy act that's considered a piece of personal data, which means a merchant needs to consider how that is captured and stored," he added.
In other words, to comply with the PCI and PA DSS standards, retailers will need to capture an IP address from a transaction, which forms part of an audit record, yet to comply with proposed amendments to the Privacy Act, retailers will need to gain the consent of their customers to collect this data.
"At the moment, if you're just capturing an IP address you can't attach that to a person, but if it's matched to a transaction that becomes personal data," explained Ghosh.
