Twitter
Facebook
Linked In
RSS
Login or Register
New to InternetRetailing?
Register Now
Internet Retailing
You are in: > Home > Views > Guest Comment

This is your 1 complimentary article for this month

Become a member for unlimited and immediate access.


Register
Already a member? Log in here

Guest comment: PCI DSS - What do the new guidelines mean for retailers?

Linked InTwitterFacebookeCard
By Kevin Burns

The Payment Card Industry Security Standards Council (PCI SSC) updated its compliance guidance in 2010. Many retailers were hoping the update would give a clear way forward in terms of their PCI DSS compliance. So have their hopes been in vain?

The guidance covered two areas:

1. Europay, MasterCard and VISA (EMV): the guidance concludes that EMV does not address PCI DSS and therefore the two need to coexist. It also goes on to state that: “EMV can substantially reduce fraud in face-to-face environments” and “can mitigate the risk”. So clearly the SSC are supporting EMV but it is still not insisting that EMV become the global standard so UK merchants are put at risk every time they want to accept payment on cards which are not EMV smartcards, and UK card holders are put at risk because their stolen data can be used on cloned cards outside of the UK where swipe is still the default standard.

2. Point To Point Encryption (P2PE): the SSC states that the technology is at an 'immature' stage. The reality is however, that there are solutions in the market today which fit the P2PE definition and which are PCI DSS certified.

Most UK merchants who process customer present transactions will be faced with PCI-PTS problems in 2012 because the (EMV) Chip and PIN solution they implemented in 2004/05 will not comply.

Indeed, anyone who has not replaced their PIN Entry Device (PED) estate from 2008 on will have this issue. Committing to a PED replacement (in terms of hardware and engineering to roll it out) is not an insignificant investment so you need to make the right decision and know what the costs are likely to be.

The cost of compliance

A key factor in this decision-making process would be whether to allow for P2PE solutions or not as the requirements on the PED are different to what we have in most merchant environments today and this has cost implications. Similarly, when looking at P2PE you need to consider whether the potential 'simplification' of scope is worth the additional cost likely to be incurred when selecting a service provider to deliver the solution versus the continued cost of compliance in-house.

Reports over the past six months put UK merchant compliance at between 11 per cent and 25 per cent, so how do the 75 per cent or more decide on what is best for them?

One answer could be to wait for further PCI SSC guidance during the course of this year, but given the need to plan for PCI-PTS issues in 2012, is this really advisable?

The alternative is to look at solutions that simplify your PCI requirements in the meantime.

Kevin Burns is PCI specialist at BT Expedite

Linked InTwitterFacebookeCard
Add New Comment
LoginRegister

Become a Member

Create your own public-facing profile
Gain access to all Top500 research
Personalise your experience on IR.net
Internet Retailing
We are the magazine, portal and research source for European ecommerce and multichannel retail, hosting the board-level conversation for retailers, pureplays and brands across all of our platforms. Join the conversation.

© InternetRetailing Media

Latest Tweet

Internet Retailing
Tamebay
eDelivery
Twitter
Facebook
Linked In
Youtube
RSS
RSS
Youtube
Google
Linked In
Facebook
Twitter