Despite the potential confusion, Citrix's Roemer said retailers should, at a minimum, understand their duties under PCI standards while those responsible for awareness of the standard should do more.
"If you deal with credit card information in any way and you haven't been told about the PCI DSS standard, somebody has tremendously failed you," Roemer said. -You definitely need to be aware of this."
The risk, he says, is that companies that are unaware of their need to be compliant will be scrambling to do so in less time as deadlines for compliance approach.
The first auditable deadline already passed at the start of the year. A second deadline around applications, firewalls and scanning is due in mid-2008, before several more rolling deadlines come up in 2008, 2009 and beyond.
A breach, in most cases, can be more disastrous than a fine.
Take the recent theft of credit card data from online florist, Roses Only, for example.
An estimated 20,000 Australians had their credit card details exposed by the e-tailer in September, which has since become the subject of Police and Privacy Commission investigations.
"My number one recommendation is to know when and how credit card information is used in your organisation," Roemer said.
"I would then recommend you read the PCI DSS specification and have it read by anybody relevant to your dealings with that information."
"Third, I would recommend that instead of taking a reactionary approach to credit card security, that you be more progressive. Virtualise access to credit card applications in a way that is centralised, authenticated, available only to those who require the application, and auditable."
Payment Application Data Security Standard
PA DSS compliance will mean retailers also need to ensure the technology they are using meets the additional compliance measures which Visa recently announced.
Visa's Payment Application Best Practices (PABP) require that retail software applications do not store credit card information after the transaction is completed.
Roemer said that in many retail configurations, the credit card swipe is hooked into the keyboard input of a PC. Retailers often have "little idea" about how much of a customer's information is stored on the machine as a result, he said.
"Criminals are targeting certain versions of software because of their known security gaps," said Michael Smith, Visa's senior vice president of payment system risk in a statement last week. "Some versions of software in use today are known to store the full content of the magnetic stripe, PIN data or security codes contrary to Visa rules and the PCI Data Security Standard."
This new requirement, again pioneered by Visa, has been accepted by Visa's credit card peers and in early 2008 will be released as an industry-wide standard called the Payment Application Data Security Standard (PA-DSS).
Roemer said that most credit card applications were written well before authentication and audit controls were available. When these new application requirements are made universal, he anticipates a need for a "great deal of upgrades" in retail technology.
