Identification, Policy & Planning

Payment card security standard revamped

By Jianggan Li | 25 September 2008

The next version of Payment Card Industry Data Security Standard (PCI DSS) – a guideline to help organizations that process card payments prevent data breach and fraud – is due to be released on October 1.

View photos

Related Articles

• Social media security risks exposed
• Infosecurity chief contenders revealed
• New email security solution unveiled
• Data security of Singapore schools exposed

Related Categories

• IDENTIFICATION
• POLICY & PLANNING

From this Section

• NEWS

The new release, version 1.2, did not change the requirements specified in its predecessor; instead, it ‘enhanced clarity, improved flexibility, and addressed evolving risks/threats’.

Dave Howell, Senior Solutions Manager at RSA, reveals that tear 1 vendors (more than 6 million transactions per year) in Asia needs to be compliant by December 2009 – a deadline stipulated by card issuers.

He says because of the sheer volume of transactions and other complexities, it requires lots of efforts to meet this deadline. In fact, the deadline for merchants in the US is end of 2007, but till now many are still not compliant.

He also underlines the importance of maintaining that compliance. “When the audit report says you are compliant, you can’t simply walk away can wait for the next audit in 12 months time,” he elaborates. “If there is a data breach and you are not compliant at the time of that data breach, you are fully liable; whilst you receive a waiver if you are compliant.”

The PCI programme itself is driving a higher degree of awareness in terms of security best practices, according to Howell. However he highlights that to determine where the data resides is still a big issue. “Especially with new media formats, you need to protect the data whether it’s on paper, electronic and even in audio media formats.”

Howell also reminds organisations that though many data protection legislations are being introduced in Asia, organsiatiosn need to think about compliance in broader terms: “it’s about any security requirement from any entity – government, industry group, business partner, customer requirements or internal.”