Tuesday, 13 November 2007

Does PCI-DSS affect your organisation?

The Payment Card Industry Data Security Standard (PCI-DSS), also known as the “digital dozen”, is a standard developed to ensure acceptable levels of security are maintained over information transmitted and stored by any organisation that processes credit or debit card information. If your organisation is a merchant, third party service provider or a financial institution and you store, process or transmit any credit card/debit card information, then you are required to comply with the PCI-DSS standard.

In order to reduce the number of incidents of credit card fraud, the Payment Card Industry has developed a standard (which is a requirement under the merchant contract), that places the accountability for securing credit card information, with the merchant that handles the information. These organisations are contractually bound to comply with the standard.

Consequences of Non-Compliance
In March 2007, TJX Companies INC., a corporation that owns a large chain of department stores in the US and other countries learned this the hard way. Hackers were able to breach the network at TJX and were able to compromise at least 45.7 million credit cards and debit cards. The company now faces more than a dozen class action lawsuits.

Why PCI has teeth in Australia
There is growing confusion as to whether the PCI-DSS standard can be enforced in Australia. It was found that in 2006, there were five breaches, but there were no fines issued. This was reportedly due to workers involved being “innocently ignorant.” However, with the release of PCI-DSS version 1.1, VISA has confirmed that PCI DSS will be mandated in Australia.

If your company accepts or stores credit card information, it is required to comply with the PCI-DSS based on the criteria described above. Your financial Auditors should inquire as to the PCI-DSS compliance status and controls. Be forewarned. Providing false information to the Auditors may have even more severe risks as a provision in the Corps Act S1309(1) “False Information” makes it a criminal offence to issue a false report to directors and auditors, which includes any reports to IT auditors or reports issued as a part of the financial audit.

1 comment:

pci compliance said...

Does PCI-DSS affect your organisation