This is an archived article -
we have removed images and other assets but have left the text unchanged for your reference
By Kevin Burns
The Payment Card Industry Security Standards Council (PCI SSC) updated its compliance guidance in 2010. Many retailers were hoping the update would give a clear way forward in terms of their PCI DSS compliance. So have their hopes been in vain?
The guidance covered two areas:
1. Europay, MasterCard and VISA (EMV): the guidance concludes that EMV does not address PCI DSS and therefore the two need to coexist. It also goes on to state that: “EMV can substantially reduce fraud in face-to-face environments” and “can mitigate the risk”. So clearly the SSC are supporting EMV but it is still not insisting that EMV become the global standard so UK merchants are put at risk every time they want to accept payment on cards which are not EMV smartcards, and UK card holders are put at risk because their stolen data can be used on cloned cards outside of the UK where swipe is still the default standard.
2. Point To Point Encryption (P2PE): the SSC states that the technology is at an ‘immature’ stage. The reality is however, that there are solutions in the market today which fit the P2PE definition and which are PCI DSS certified.
Most UK merchants who process customer present transactions will be faced with PCI-PTS problems in 2012 because the (EMV) Chip and PIN solution they implemented in 2004/05 will not comply.
Indeed, anyone who has not replaced their PIN Entry Device (PED) estate from 2008 on will have this issue. Committing to a PED replacement (in terms of hardware and engineering to roll it out) is not an insignificant investment so you need to make the right decision and know what the costs are likely to be.
The cost of compliance
A key factor in this decision-making process would be whether to allow for P2PE solutions or not as the requirements on the PED are different to what we have in most merchant environments today and this has cost implications. Similarly, when looking at P2PE you need to consider whether the potential ‘simplification’ of scope is worth the additional cost likely to be incurred when selecting a service provider to deliver the solution versus the continued cost of compliance in-house.
Reports over the past six months put UK merchant compliance at between 11 per cent and 25 per cent, so how do the 75 per cent or more decide on what is best for them?
One answer could be to wait for further PCI SSC guidance during the course of this year, but given the need to plan for PCI-PTS issues in 2012, is this really advisable?
The alternative is to look at solutions that simplify your PCI requirements in the meantime.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
You are in: Home » Guest Comment » Guest comment: PCI DSS – What do the new guidelines mean for retailers?
Guest comment: PCI DSS – What do the new guidelines mean for retailers?
by Staff Writer
This is an archived article - we have removed images and other assets but have left the text unchanged for your reference
By Kevin Burns
The Payment Card Industry Security Standards Council (PCI SSC) updated its compliance guidance in 2010. Many retailers were hoping the update would give a clear way forward in terms of their PCI DSS compliance. So have their hopes been in vain?
The guidance covered two areas:
1. Europay, MasterCard and VISA (EMV): the guidance concludes that EMV does not address PCI DSS and therefore the two need to coexist. It also goes on to state that: “EMV can substantially reduce fraud in face-to-face environments” and “can mitigate the risk”. So clearly the SSC are supporting EMV but it is still not insisting that EMV become the global standard so UK merchants are put at risk every time they want to accept payment on cards which are not EMV smartcards, and UK card holders are put at risk because their stolen data can be used on cloned cards outside of the UK where swipe is still the default standard.
2. Point To Point Encryption (P2PE): the SSC states that the technology is at an ‘immature’ stage. The reality is however, that there are solutions in the market today which fit the P2PE definition and which are PCI DSS certified.
Most UK merchants who process customer present transactions will be faced with PCI-PTS problems in 2012 because the (EMV) Chip and PIN solution they implemented in 2004/05 will not comply.
Indeed, anyone who has not replaced their PIN Entry Device (PED) estate from 2008 on will have this issue. Committing to a PED replacement (in terms of hardware and engineering to roll it out) is not an insignificant investment so you need to make the right decision and know what the costs are likely to be.
The cost of compliance
A key factor in this decision-making process would be whether to allow for P2PE solutions or not as the requirements on the PED are different to what we have in most merchant environments today and this has cost implications. Similarly, when looking at P2PE you need to consider whether the potential ‘simplification’ of scope is worth the additional cost likely to be incurred when selecting a service provider to deliver the solution versus the continued cost of compliance in-house.
Reports over the past six months put UK merchant compliance at between 11 per cent and 25 per cent, so how do the 75 per cent or more decide on what is best for them?
One answer could be to wait for further PCI SSC guidance during the course of this year, but given the need to plan for PCI-PTS issues in 2012, is this really advisable?
The alternative is to look at solutions that simplify your PCI requirements in the meantime.
Kevin Burns is PCI specialist at BT Expedite
Read More
You may also like
Register for Newsletter
Receive 3 newsletters per week
Gain access to all Top500 research
Personalise your experience on IR.net