PCI's Bob Russo: Data loss hurts brand more than a fine

For example, there are specific sections in the standard that sets out how credit data is to be stored. But it has to be decided that if the data being stored in a certain way, using particular technologies, whether they would be sufficient to deal with the threats to its security.

We also introduced the Payment Application (PA) DSS. And before the end of the year, we'll be releasing two additional controls to the existing PED [PIN entry device] standard around unattended payment terminals and hardware or software host security modules.

Having had the opportunity to get feedback on the current release of the standard from merchants and card payment companies, what have been the areas that have attracted the most debate?

I wouldn't say we've had any debate, so much as clarifications, as version 1.2 sought to do, along with the combination and simplification of some of the forms that have to be completed. There were some clarifications on timings and on what security components are in or outside of its scope, such routers and firewalls. But any organisation handling sensitive data has to use the security features of both. And the standard applies just as much to paper media as it does to electronic media, as another example.

Another area that was discussed was the fact that a lot of merchants have gone down the WEP security route for their wireless networks. But events at TJX and other companies have proven WEP password security is not as secure as it used to be and so we've set a deadline of 31 March 2009, after which there should be no new installations of WEP security. And by June 2010, there should be no WEP installations at all.

Well, I'm sure you can imagine that there were a few that weren't too happy about that, especially as a lot of major merchants have spent a lot of time and money on their wireless networks. But even they, perhaps grudgingly, understand that WPA and WPA2 wireless security standards are far stronger. And the deadlines for transition should give everybody enough time to get ready.

So, if you are finding overall agreement over the specifications of the standard, how easy has it been to get businesses to take the threat of non-compliance seriously?

Lots of companies I meet that are getting compliant are trying to deal with not having any security standards in place at all. They are using PCI DSS as springboard to get security on the business agenda.

And in the largest, Tier 1 retailers, they have been using legacy systems that were installed 10 to 15 years ago. You have to remember that, what was available in security terms, was quite a bit less than is available now. Retrofitting these security technologies is a very delicate thing to do and costs quite a bit, and perhaps even more so in making sure it doesn't cause any problems to the business.

Miya Knights

A 25-year veteran enterprise technology expert, Miya Knights applies her deep understanding of technology gained through her journalism career to both her role as a consultant and as director at Retail Technology Magazine, which she helped shape over the past 17 years. Miya was educated at Oxford University, earning a master’s degree in English.

Her role as a journalist has seen her write for many of the leading technology publishers in the UK such as ITPro, TechWeekEurope, CIO UK, Computer Weekly, and also a number of national newspapers including The Times, Independent, and Financial Times.