'Aussie merchant card security standards a sham'

Australian retailers are sluggishly adopting credit card security standards, according to Citrix chief security officer, Kurt Roemer, but competing standards and proposed amendments to the Privacy Act will cause even greater confusion for them.

PCI DSS (Payment Card Industry Data Security Standard) is a set of 12 requirements for securing credit card information whenever it is stored, processed or transmitted by a merchant. The industry-wide effort is aimed at reducing credit card fraud.

The standard covers basic aspects of security such as firewalls, passwords, data storage protection, antivirus and encryption, and were originally developed by Visa before being adopted late last year by all of the major credit card providers including Mastercard and American Express.

Roemer said that Australian retailers remain "behind the rest of the world" in terms of awareness and adoption of the PCI DSS standard -- a task the PCI Standards Council has handed to banks, which regulate it on a contractual basis with merchants.

However Roemer said there "doesn't appear to be an acceptable level of awareness" in Australia.

This is despite credit card companies providing both incentives for PCI-compliant customers and penalties for those merchants that haven't made the effort.

Incentives include savings on the transaction rates offered by the credit card companies. Penalties for those companies that are not compliant include unfavourable transaction rates and the levying of fines of up to AU$50,000.

Roemer said credit card issuers in other countries, such as banks, have made direct contact with merchants to warn them of the consequences -- but he doubts such an effort has been made in Australia.

According to Ajoy Ghosh, a security executive with Logica CMG, planned amendments to the Commonwealth Privacy Act as well as Visa's announcement of new security standards for card payment software used by merchants will add further complexity for merchant compliance.

"There is a new scenario emerging. Visa have sponsored another organisation which have come up with PA DSS [Payment Application Data Security Standard]. Visa is now requiring Visa merchants to comply with that," said Ghosh.

"On top of that, [proposed] amendments to the Privacy Act broadly extend the scope of 'personal data' to include IP and e-mail addresses. On the other hand PCI DSS and PA DSS require merchants to keep certain things such as originating IP addresses, yet under the privacy act that's considered a piece of personal data, which means a merchant needs to consider how that is captured and stored," he added.

In other words, to comply with the PCI and PA DSS standards, retailers will need to capture an IP address from a transaction, which forms part of an audit record, yet to comply with proposed amendments to the Privacy Act, retailers will need to gain the consent of their customers to collect this data.

"At the moment, if you're just capturing an IP address you can't attach that to a person, but if it's matched to a transaction that becomes personal data," explained Ghosh.

Despite the potential confusion, Citrix's Roemer said retailers should, at a minimum, understand their duties under PCI standards while those responsible for awareness of the standard should do more.

"If you deal with credit card information in any way and you haven't been told about the PCI DSS standard, somebody has tremendously failed you," Roemer said. -You definitely need to be aware of this."

The risk, he says, is that companies that are unaware of their need to be compliant will be scrambling to do so in less time as deadlines for compliance approach.

The first auditable deadline already passed at the start of the year. A second deadline around applications, firewalls and scanning is due in mid-2008, before several more rolling deadlines come up in 2008, 2009 and beyond.

A breach, in most cases, can be more disastrous than a fine.

Take the recent theft of credit card data from online florist, Roses Only, for example.

An estimated 20,000 Australians had their credit card details exposed by the e-tailer in September, which has since become the subject of Police and Privacy Commission investigations.

"My number one recommendation is to know when and how credit card information is used in your organisation," Roemer said.

"I would then recommend you read the PCI DSS specification and have it read by anybody relevant to your dealings with that information."

"Third, I would recommend that instead of taking a reactionary approach to credit card security, that you be more progressive. Virtualise access to credit card applications in a way that is centralised, authenticated, available only to those who require the application, and auditable."

Payment Application Data Security Standard
PA DSS compliance will mean retailers also need to ensure the technology they are using meets the additional compliance measures which Visa recently announced.

Visa's Payment Application Best Practices (PABP) require that retail software applications do not store credit card information after the transaction is completed.

Roemer said that in many retail configurations, the credit card swipe is hooked into the keyboard input of a PC. Retailers often have "little idea" about how much of a customer's information is stored on the machine as a result, he said.

"Criminals are targeting certain versions of software because of their known security gaps," said Michael Smith, Visa's senior vice president of payment system risk in a statement last week. "Some versions of software in use today are known to store the full content of the magnetic stripe, PIN data or security codes contrary to Visa rules and the PCI Data Security Standard."

This new requirement, again pioneered by Visa, has been accepted by Visa's credit card peers and in early 2008 will be released as an industry-wide standard called the Payment Application Data Security Standard (PA-DSS).

Roemer said that most credit card applications were written well before authentication and audit controls were available. When these new application requirements are made universal, he anticipates a need for a "great deal of upgrades" in retail technology.