Online retailers should use a PCI-compliance payment gateway for credit card transactions, or become compliant themselves, to avoid Lush-style data breaches, says the man at Westpac tasked with securing as many as 20 million credit card accounts.
Earlier this week, soap and cosmetics retailer Lush announced its stored credit card database had been compromised and warned customers to cancel any card used to buy its products online.
Qvalent network administrator, Mark Wallis, said e-commerce sites should partner with a dedicated, PCI-complaint payment gateway service to minimise its risk of a data breach.
“We have multiple levels of encryption so our data remains secure,” Wallis said.
IT managers should take a look at the PCI as it is a good guideline for security best-practices
“PCI-compliance is very complex and it’s unlikely your average online shopping site has the resources to achieve it.”
Qvalent is a wholly-owned subsidiary of Westpac and provides the payment gateway technology for its business customers.
And if you’ve made an online purchase with a credit card there’s a good chance your details are in Qvalent’s database which houses about one record for every person in the country.
Payment card industry (PCI) security is a set of standards designed to enhance payment account data security through “education and awareness”, according to the PCI Security Standards Council.
Wallis spends up to six months of his time every year working on PCI compliance, which is audited annually.
"We are one of the few Level 1 PCI DSS compliant companies in Austrlaia and have been providing payment processing services to Westpac for about eight years," he said.
Qvalent develops its 30 to 40 applications for Westpac in Java on Oracle databases and deploys them on mainly Windows Server with some Linux.
In a win for regional Australia, all development is done at Qvalent’s head office in Wallsend, NSW. Its production servers are housed in Sydney data centres.
Wallis said IT managers should take a look at the PCI specifications as it is a good guideline for security best-practices, even if the organisation doesn’t take online credit card payments.
“Even when a small app goes down, it’s a massive PR issue,” he said. “No app should be seen as not mission-critical.”
SSL appliances replace server farm
Qvalent is now using two F5 network appliances in place of a “server farm” with as many as 10 systems.
Wallis said the server farm was becoming increasingly difficult to manage, particularly with the demands of SSL encryption.
“We chose F5 because of the level of integration and flexibility the platform offers,” he said. “It allowed us to prevent a known Java bug with a simple rule.”
“When we went to market for a PCI-complaint solution F5 was the only product we could get into and understand.”
F5 Networks appliances run custom software for network services and Linux for booting and management.
Wallis said Qvalent didn’t want a “closed box” and F5 can manage 2048-bit certificates without any more load burden.
Follow Rodney Gedda on Twitter: @rodneygedda
Follow TechWorld Australia on Twitter: @Techworld_AU