Compliance with Payment Card Industry Data Security Standards (PCI DSS) amongst Australian retailers needs to improve due to insecure practices according to Dell Software SecureWorks general manager Simon Ractliffe.
There are 12 PCI-DSS requirements including firewall maintenance, securing configurations, protecting stored data, protecting data in transit, anti-virus maintenance, secure systems maintenance, access restriction, authentication access, controlling physical access, logging and monitoring, testing security systems and maintaining security policies.
Speaking at a briefing in Sydney, Ractliffe said he had come across retailers who are still taking credit card details over the phone and retaining the numbers on paper.
For example, one retailer that sells to trades people asked his advice about PCI DSS compliance.
“The tradies would be driving to a job and phone up the retailer for more products. If they [the retailer] hadn’t established a business relationship before, they would get the tradie to tell them their credit card details over the phone and write it down on a form,” he said.
“They are immediately outside PCI-DSS because they are writing down credit card numbers and storing them.”
Another retailer who he spoke to kept a book with names and credit card details of clients.
“It’s terrifying for the banks that there are folks writing this stuff down. A lot of smaller retailers and their agents have no idea that they are not supposed to be doing this stuff. There is a massive gap in awareness about what the PCI-DSS standards are.”
According to Ractliffe, companies can take up to three years to obtain PCI DSS compliance.
The card schemes Visa, MasterCard and American Express have started to impose fines on organisations that don't comply.
According to a Westpac guide to PCI DSS compliance (PDF), these fines can start at US$25,000 for large merchants and US$10,000 for small merchants.
If that wasn't enough incentive, Ractliffe added that criminals are after credit card information for the purposes of re-selling it on underground Internet markets.
Follow Hamish Barwick on Twitter: @HamishBarwick