Welcome to the eCommerce Report Australian ecommerce network
Our latest print edition was
Volume 16, Number 1, 2009 		Today's date is:  


Click on the button to sign-up for a free weekly email update
click here to sign-up for a free weekly email alert





 

Verisign closes PCI-DSS audit business down-under

Global US online services company, Verisign, has closed its specialist PCI-DSS security audit business in Australia, in what may be seen as yet further evidence of declining industry confidence in the standard.

Verisign’s Stephan Overbeek had been one of twelve PCI-DSS Qualified Security Assessors listed on the PCI Security Standards Council web-site as doing business in Australia.

But Overbeek is no longer with the company and, despite denials by both Verisign and its PR company, Weber Shandwick, calls to Verisign’s Sydney office asking for anyone in that area are being told the entire business unit has been shut down.

Indeed, local Verisign marketing manager, Andrew Horbury, admitted as much when he told eCommerce Report that the company was re-structuring and re-focussing its efforts.

Verisign’s obvious doubts about the merits of a specialist PCI-DSS business unit in Australia were not shared by any of the other eleven QSA’s however.

And they were, to a man, adamant that the PCI-DSS scheme is both important and effective in preserving the security of customers’ card information at online merchants.

eCommerce Report contacted all eleven this week to ask why, given that Bottle Domains false compliance claims have shown the integrity of the scheme to be highly questionable, an investment in compliance shouldn’t be evaluated as a marketing and not a security expenditure.

We also invited QSA’s to provide any evidence they had of any fines or penalties that local businesses had suffered from non-compliance.

Here are a selection of the responses.

Drazen Drazic, CEO of Securus Global, publishes an uptodate and informative blog on PCI-DSS issues and told eCommerce Report that it would be a mistake to doubt the card companies commitment to the scheme. Moreover even if there have been no fines issued locally’, as yet, he said there definitely had been in other parts of the world.

“The threat of fines does hang over the head of organisations who are not compliant. That is a fact.”

Andrew Jamieson, from Witham Labs, said that irrespective of where or not fines are being issued locally, compliance isn’t just a marketing decision.

“PCI DSS serves as a check for a minimum level of security that is sufficient to meet the card schemes expectation for card data security. Merchants that do not meet this level are at an increased risk of compromise, which will certainly result in financial burdens.”

He added that online merchants should see compliance as similar to wearing a seat belt whilst in a car.

“To use a familiar simile, most people do not wear seatbelts in their car for fear of fines, or as a gimmick. They wear them as a safety precaution against risk of injury during an accident. In the same vein, compliance to the PCI DSS criteria is a safety precaution against the risk of being the victim of a card data compromise.”

Mike Ryan, business development manager at Vectra Corporation, also argued that if PCI-DSS compliance is seen as just a marketing question, then it may struggle to get the required level of investment.

“If compliance to the PCI DSS were a “marketing choice” rather than a mandatory requirement the protection of cardholder data would suffer as I believe many organisations would struggle to allocate sufficient resources for its implementation and maintenance.”

Robert Mcadam from PureHacking.com, said that the local situation is different from that in the US because of a lack of any requirement for online merchants to service providers to either report or publicly disclose that they’ve been hacked.

“In Australia, you don’t have to advertise that there has been a breach unlike the USA. Consequently, you won’t know if a penalty has been leveraged from a lack of compliance or an event….The likelihood of a company telling you that they are in breach of PCI standards would be extremely low if at all.”

Dean Carter from Datacraft NZ (trading as security assessment.com said the scheme rules stopped him from even commenting on PCI-DSS penalties.

“As a QSA I am not permitted to make any comment on penalties as a result of non-compliance to the PCI-DSS.”

Murray Goldschmidt from Sense of Security Pty Ltd however, clearly doesn’t share Carter’s view of the rules around QSA’s. He was happy to assert that Australian companies have been hit by PCI-DSS fines have been

“Fines have been levied on Australian companies.  However, they are not published. We know that fines have been levied because we work closely with the card schemes on such matters. “ (eCommerce Report has invited Goldschmidt to identify either any Australian bank that has levied fines, or a company that has been fined for non-compliance.)

Finally, it is intriguing to note that it there are only three Australian or New Zealand businesses for whom VISA is prepared to attest that PCI-DCC compliance has been established through an online-site inspection by a QSA. They are Cardlink Services, Direct Payment Solutions (NZ) and two TNSI businesses TNS Payment Technologies and Transaction Network Services.

For the complete Visa registry of services providers go to
www.visa-asia.com/ap/sea/merchants/riskmgmt/vrsp_index.shtml
For the complete list of QSA’s got to
www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
For Drazen Drazic’s PCI blog go to:
http://beastorbuddha.com/category/pci/


 

Google

 

  Top Page

diary subscribe now contact us back to the home page links page

©Copyright  Technosocial Research Services  All Rights Reserved
mail@ecommercereport.com.au