VISA Australia defends PCI-DSS online card security scheme
Bottle Domains false claim that it had been recognised as compliant with the Payment Card Industry (PCI) Data Security Standard (DSS) is not the only reason why Australian ecommerce businesses should be asking questions about the standard.
Nor is the recent statement by Philip Lowe – an Assistant Governor at the Reserve Bank - that phone and online card fraud grew by as much as 50% in Australia last year.
But it is a fact that debate over PCI-DSS in the US has recently become so intense that the future of the scheme has prompted special hearings before a congressional committee.
Credit-card companies, Internet businesses and online security experts have all given evidence to the hearings, which have been held in the wake of security breaches at online payments processors –
Heartland and the Royal Bank of Scotland owned Worldpay.
Both Heartland, which is said to be the sixth biggest payments processor in the US, and WorldPay, had been thought to be PCI-DSS compliant at the time they were hacked.
Certainly their operations had been audited, and earned compliance recognition from an independent qualified PCI-DSS security assessor.
However because their systems were still able to be hacked, and card information lost, the official line from the PCI Security Standard Council is that they weren’t, in fact, PCI compliant, at the time.
That is why, and how, card companies and PCI-DSS promoters can continue to claim, as has Visa Australia’s corporate relations manager, Judy Shaw, that the scheme has a 100% success record to date.
“No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach” she told eCommerce Report.
In an email response to our questions about the scheme, Ms Shaw, said that VISA was still insisting that all ecommerce and online merchants accepting card payments should invest in establishing PCI-DSS compliance.
“PCI DSS remains an effective security tool when implemented properly – and remains the best insurance against the loss of sensitive data.”
The scheme, which is supported by all the major card companies, specifies four different levels of compliance for businesses, depending on their size.
“Under the PCI DSS program, merchants are classified into four levels, and must undergo a number of steps, depending on their level, in order to become PCI compliant.
Levels 1, 2, 3 and all service providers must provide evidence of their PCI compliance to their acquiring bank, who reports it to the card schemes” said Ms Shaw.
Small businesses, however, or those doing less than 3000 transactions a month, can elect to carry out their own internal PCI-DSS assessments and don’t have to prove compliance to a bank.
Shaw said that, even if the scheme hasn’t had a high profile to date in Australia, many larger companies have already been audited.
“Globally, more than 70 percent of the largest (Level 1 and 2) merchants have now validated their compliance with the PCIDSS (Merchants in these two categories account for a majority of Visa's global transaction volume.)”
She added that their compliance had been a significant step forward in improving online card security.
“PCI DSS compliance has been successful in reducing the storage of prohibited account data such as magnetic stripe, CVV2 and PIN data from the largest merchants' systems. “
Nevertheless, online card fraud is still growing and there is no evidence that either the card schemes or Australian banks are taking any steps to police and/or enforce PCI-DSS compliance down-under, or at least not amongst those claiming to be PCI compliant.
eCommerce Report is not aware of any evidence of any Australian company ever having suffered any fines for non-compliance under PCI-DSS.
Indeed there is so little policing and enforcement activity that businesses may feel confident that if they simply assert they are PCI compliant, as Bottle Domains has done, no-one will check on that, and no-one will do anything about it.
Or in other words, Australian businesses who simply claim PCI compliance may never be asked to provide proof, or suffer any penalty from not providing proof.
VISA’s Judy Shaw denied that is the case, saying that “If there was a merchant making false claims, the matter would be investigated. A matter could be escalated to the acquiring bank responsible for that merchant, the card schemes or the PCI Security Standards Council.”
But she was unable to say who would do the investigating and who would escalate or report the matter.
eCommerce Report has contacted all eleven qualified PCI-DSS security assessors doing business in Australia and New Zealand.
(see our separate story this issue – Verisign closes PCI-DSS audit business down-under.)
None has been able to provide any evidence of any fine or penalty ever being issued to any Australian business under the PCI-DSS scheme.
We would like to believe that both the card schemes and the banks are continuing to take PCI-DSS seriously in Australia.
And we would like to believe VISA’s claim that ” We have an extensive program aimed at compliance in Australia, including a regular program of education and information workshops. “
But regrettably, thus far we’ve seen no evidence of an ” extensive” programme, and no evidence of education and information workshops at all, regular or otherwise.
For more information go to:
www.pcisecuritystandards.org
| 
