[LINK] Banks 'oblivious' to credit card compliance mandate

Bernard Robertson-Dunn brd at iimetro.com.au
Fri Sep 22 13:40:59 AEST 2006 

<brd>
Are these the same banks that want to make use of the new Access Card?
</brd>

Banks 'oblivious' to credit card compliance mandate
Darren Pauli
Computerworld
22/09/2006 12:01:02
http://www.computerworld.com.au/index.php/id;1280136952;fp;16;fpid;0

Widespread confusion in Australia's banking industry about new 
compliance measures has led to five breaches of the Payment Card 
Industry (PCI) data security standard.

Visa and MasterCard led the instigation of the mandate, which is already 
more than a year old, but awareness of the PCI standard in Australia 
remains extremely low.

Version 1.1 of the standard, the rules of which are aimed at protecting 
credit card data via encryption, end-user access and handling 
procedures, was introduced on September 7, 2006.

But because it was a US-led standard, there has been confusion about 
local compliance requirements, although Visa confirmed last week that it 
has been officially mandated in Australia.

Visa Australia and New Zealand risk manager Ian McKindley said banks and 
merchants are largely ignorant of PCI requirements despite extensive 
campaigning.

"Awareness of PCI in Australia is far lower than we would have hoped 
[despite] a series of seminars being held in [both countries]; we also 
posted more than 300,000 fliers to merchants earlier this year," 
McKindley said.

"Banks have a responsibility to communicate PCI to their merchants and 
third-party processes; it is up to the acquiring banks to ensure their 
merchants are aware and compliant."

The standard lists 12 broad controls that retailers, online merchants, 
data processors and other businesses must implement to protect 
cardholder data.

According to McKindley, there have been five breaches in the past 12 
months, but no fines were issued because "the company's IT employees 
were innocently ignorant".

But merchants who fail to comply can face fines of up to $US500,000 or 
be excluded from processing credit cards.

NIIT Technologies sales director Stewart Evans said this lack of 
awareness by Australian banks affects the merchants' ability to become 
compliant.

"The banks themselves are oblivious; it is a real concern," Evans said.

Evans cited examples of NIIT clients who have been thrown into a "mass 
panic" after receiving correspondence on PCI compliance.

What the PCI data security standard requires
Version 1.1 of the PCI standard requirements were mandated on September 
7, 2006.

PCI became a universal requirement on June 30, 2005, for all entities 
handling credit card data.

Merchants processing between one million and six million transactions 
for Visa, MasterCard, American Express, Discover Financial Services or 
Japan Credit Bureau are defined under 'level 4' and are required to fill 
out a 75-question, self-assessment form annually.

Merchants must also review and generate compliance network components, 
servers and applications attached to point of sale facilities and 
undertake quarterly vulnerability scans.

-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
brd at iimetro.com.au

More information about the Link mailing list