Many online retailers miss security deadline

The Payment Card Industry Data Security Standard (PCI DSS) demands that people processing credit cards use a new firewall to protect their processing or have their software reviewed to ensure it is safe from hacks and fraud.

The PCI, which is an industry body formed by the major credit card issuers, imposed a deadline of 30th June for implementation of the protection, but many security industry observers say that the deadline has been missed by a large number of retailers.

"It would be fair to say that there is still a lot of work to be done by retailers and others on getting up to scratch," said William Malcolm, a data protection expert at Pinsent Masons, the law firm behind OUT-LAW. "Industry leaders have done much to publicise the requirements but progress has been slow."

Consultancy Gartner has told Computerworld that most of its clients were not ready for the deadline, and that most companies are far behind in the process of compliance.

PCI DSS is a set of standards developed from card issuers' individual security programmes and was adopted in 2006 by PCI. The deadline was set by PCI to ensure that retailers would implement systems that were secure in the face of known vulnerabilities and hacks.

PCI insists that those processing its members' cards are compliant with its standards and those who are not compliant risk being fined or even losing their ability to process payments at all.

Companies are required to submit to audits of their compliance by approved consultancies, though small businesses with fewer than 80,000 transactions a year can self-assess.

Malcolm said that the PCI requirements should force companies to examine their security measures.

"It will require organisations to take a detailed look at their existing IT and management infrastructures and ensure that they meet the rules," he said. "Those people processing primary account numbers, the 16 digit card numbers, in relation to payment systems would be well advised to check with the PCI to see if they are covered by the PCI DSS requirements."

The requirements demand that any applications open to the internet are protected against existing attacks either by completing a review of their code to test for vulnerabilities or by employing an application level firewall for the system.

The standard demands that companies do not simply use vendor-set defaults for any firewall systems and that they restrict access to card data only to those who absolutely need access to it.