Australian Compliance Confusion Leads to Security Breaches

Widespread confusion in Australia’s banking industry about new compliance measures has led to five breaches of the Payment Card Industry (PCI) data security standard.

Visa and MasterCard led the instigation of the mandate, which is already more than a year old, but awareness of the PCI standard in Australia remains extremely low.

Version 1.1 of the standard, the rules of which are aimed at protecting credit card data via encryption, end-user access and handling procedures, was introduced on September 7, 2006.

But because it was a US-led standard, there has been confusion about local compliance requirements, although Visa confirmed last week that it has been officially mandated in Australia.

Visa Australia and New Zealand risk manager Ian McKindley said banks and merchants are largely ignorant of PCI requirements despite extensive campaigning.

“Awareness of PCI in Australia is far lower than we would have hoped [despite] a series of seminars being held in [both countries]; we also posted more than 300,000 fliers to merchants earlier this year,” McKindley said.

“Banks have a responsibility to communicate PCI to their merchants and third-party processes; it is up to the acquiring banks to ensure their merchants are aware and compliant.”

The standard lists 12 broad controls that retailers, online merchants, data processors and other businesses must implement to protect cardholder data.

According to McKindley, there have been five breaches in the past 12 months, but no fines were issued because “the company’s IT employees were innocently ignorant”.

But merchants who fail to comply can face fines of up to US$500,000 or be excluded from processing credit cards.

NIIT Technologies sales director Stewart Evans said this lack of awareness by Australian banks affects the merchants’ ability to become compliant.

“The banks themselves are oblivious; it is a real concern,” Evans said.

Evans cited examples of NIIT clients who have been thrown into a “mass panic” after receiving correspondence on PCI compliance.

What the PCI data security standard requires

Version 1.1 of the PCI standard requirements were mandated on September 7, 2006.

PCI became a universal requirement on June 30, 2005, for all entities handling credit card data.

Merchants processing between one million and six million transactions for Visa, MasterCard, American Express, Discover Financial Services or Japan Credit Bureau are defined under ’level 4’ and are required to fill out a 75-question, self-assessment form annually.

Merchants must also review and generate compliance network components, servers and applications attached to point of sale facilities and undertake quarterly vulnerability scans.

By Darren Pauli, Computerworld Australia

Keep checking in at our Security Feed for updated news coverage.