With so many changes, how may one comply?

Jul 11, 2008 15:36 GMT  ·  By

The PCI DSS (short for Payment Card Industry Data Security Standard) is a set of rules and guidelines meant to protect the customer and merchant against fraud. Since you will be providing the merchant with your credit card info, it is important that it stays safe from attackers and hackers. UK based department store John Lewis agrees that the PCI DSS is necessary and wants to comply, but has to speak out against how unnecessarily difficult the whole process can be.

By this time in 2009 John Lewis plans to be in full compliance with the PCI DSS standards. There are literally a dozen requirements that must be met, and they are in regard to issues such as data encryption, data storage and data management.

Frank Cordrey, Head of Development Support with John Lewis comments for Computing: "The goalposts of the PCI standard have been moved several times. It was fairly consistent and the objectives were clear at first, but there are a number of areas that have changed considerably in the past couple of years. There are times when you need rules to be static for a while so you can catch up and take things forward. What I would like to see is someone accepting the fact that this is a big task and that if you want people to stick to rules, specifications must be retained."

The total number of companies that are part of the PCI Security Standards Council amounts to 460, and John Lewis is one of these companies. If they are upset now, wait until October when a new version of the PCI standard comes out.

Since numerous UK based businesses are not compliant with the standard, the banks are sure to react in a tough manner. It is also believed that in making sure companies comply with the PCI standard, significant amounts of money will be spent.

Etienne Greeff director of MIS comments: "Because PCI DSS has been delayed so much and UK firms are so far behind, there is a massive backlog of firms that need help to achieve compliance. PCI compliance is one of our top two business topics for 2008. It is true there are no financial penalties, but it is incorrect to say there is no impetus for merchants to comply. Banks are now going to merchants and imposing penalties if there is a breach. They are doing it with tier-one retailers first and once they have reduced the risk there they will go to the next level down."