PCI: Retail therapy

Merchants can no longer avoid the issue, but their confusion is understandable. The subject is a minefield of acronyms, with significant variation in the rules, depending on the number of transactions you handle. PCI compliance is a very specialised area that requires time, attention and resources.

So what exactly is PCI DSS? The Payment Card Industry Data Security Standard is a set of rules developed in 2004 by Visa International and MasterCard Worldwide and later endorsed by other payment providers, including American Express and Diner's Club. Put simply, it is designed to protect payment providers and merchants from identity theft and credit-card security breaches.

PCI goes to the root of the problem. "First of all, you cannot store sensitive authentication data such as PIN numbers or CVV numbers," explains Ian Reece, security specialist at Integralis. "Second, you must properly encrypt the information you are allowed to keep - for example, the primary account number. And then there is policy. People know you don't leave the window in the server room unlocked. But you need formally defined policies so that they are easily repeatable. Get into a routine to enforce security."

The PCI rules apply to any type of media on which card data is stored - this encompasses hard disk drives, floppy disks, magnetic tape and backup media, as well as receipts displaying the full card number. The latter are often held by merchants as a paper record of the transaction and are used for voucher recovery purposes or as proof of the transaction to respond to a request for information (RFI). The card number must be held in full, which is why it is so important that receipts are stored securely.

Retailers must also take care to physically and electronically secure all other areas where card details may be stored, processed or transmitted. This is crucial because many electronic point-of-sale (EPOS) systems take a copy of the card details and store them unencrypted within their own databases for reconciliation and reporting purposes.

Although confusion about the standard is still widespread, a comprehensive education campaign has been underway for some time. "There are people I've worked with at Visa and MasterCard whose full-time job is to raise the profile of PCI DSS and talk to retailers," says Paul Meadowcroft, head of transaction security at Thales.

The PCI initiative has been criticised by some, including Dave Hogan, chief information officer of the US National Retail Federation, as little more than a money-making racket for credit-card companies, but there can be no doubt that retailers have been found worryingly lacking on security.

Recently, security blogger George Ou used the Kismet sniffer tool to prove that many big names high-street stores are still using the outdated WEP encryption standard for data transmission. This comes a year after the TJX debacle, where an insecure wireless network is thought to have allowed criminals to download nearly 100 million credit and debit-card numbers from outside a store.