 | |||
|
|
||
| |||
| |||
| |||
|
||||||||||||||||||||
| |
|
Home > Information Security News > Organisations struggle to understand PCI DSS, call centre compliance |
| |
|
|
|
|
| Information Security News: |
|
||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Confusion over the requirements and future direction of the Payment Card Industry Data Security Standard (PCI DSS) has caused some U.K. organisations to shelve their efforts while they seek clarification. The latest meeting of the U.K. PCI DSS User Group, held in London on November 5, revealed a high level of frustration among organisations grappling to meet the complex, and often unclear, requirements of the standard.
One member complained that when version 1.2 of the PCI code was introduced in October 2008, it was like starting "with a blank sheet of paper," with much of the earlier work wasted. And with version 2.0 of the code due for release next October, many members said they were hesitant about committing further effort to the task when the rules might change again. One attendee said the matter had been debated in Prague the previous week at the meeting of the PCI Council: "People were asking whether they should be putting in end-to-end encryption or going for tokenisation, but the answer was 'watch this space.' The advice was to hold off on any decision for a while, but how can you do that if you need to be compliant?" The head of PCI DSS compliance for one global company complained: "The costs [of becoming compliant] are spiralling. There always seems to be an opportunity to pay an extra fee to someone for some extra advice." One high street retailer revealed that its PCI DSS compliance efforts had "ground to a halt last year" because it was unable to get clear guidance. "It's a bit of a mess. We got 60% done, but the last 40% is a bit of a nightmare," an attendee said. A member from a large consumer goods company made a similar point: "We are far from being compliant. The last 20% to 30% is very complex," he said. "Different QSAs say different things, and give different advice." Another complained that the different card schemes applied the standard in their own way, and this resulted in much duplication of effort on behalf of the merchants. And a member from one large organisation revealed, to the astonishment of the group, that its acquiring bank had assured the company that it did not have to be PCI DSS compliant. PCI DSS compliance in call centres The main purpose of the meeting, which included members from banking, government, hospitality and retail, was to hear how call centres are affected by PCI DSS.
Graham Thomas, sales director for Semafone Ltd., described a variety of methods that companies could use to avoid problems. The most basic would be to get call centre workers to stop the recording while the customer reads out his or her three-digit security code, but he admitted that was unreliable and that most recording systems were outside the control of the individual agents anyway. Another option would be not to ask for the three-digit security code, but that would incur greater charges from the card companies. Much more feasible approaches included:
Click here for more information about the PCI DSS User Group.
|
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
