PCI-DSS and the ICO

Companies that fall below card payment standards risk being fined, ICO says, this is in addition to the PCI fines and costs!

Businesses that fall short of set standards for ensuring the security of credit card data could be fined, by the UK’s data protection watchdog.

The Information Commissioner’s Office (ICO) said that retailers that fail to process payment information in accordance with the Payment Card Industry Data Security Standard (PCI DSS) “or provide equivalent protection when processing customers’ credit card details” risk action being taken against them.

PCI DSS is the main standard related to storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions. The standard was established by the PCI Security Standard Council which comprises major payment card brands including American Express, Visa and MasterCard.

Under UK data protection laws the ICO has the power to fine organisations up to £500,000 for serious breaches of the laws which govern the protection of personal data. UK organisations that store personally identifiable information must adhere to certain principles, which include ensuring that data is not accidentally lost or damaged and is properly secure, under the provisions of the Data Protection Act.

The ICO issued its warning after finding that website hackers had been able to access the credit card information of 5,000 consumers that had shopped with cosmetics retailer Lush. The ICO said the data was “compromised” for four months between October last year and January 2011.

Lush received 95 complaints from customers who had been victims of fraud. It identified a “security lapse” in January this year and immediately restored the website’s security, the ICO said.

An ICO investigation found that measures Lush employed to secure customers’ payment details were “not sufficient to prevent a determined attack on their website”. The retailer’s methods for recording suspicious activity were not adequate either and this meant there was a delay in the time it took the company to spot that its security had been breached, the ICO said.

“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals,” Sally Anne Poole, Acting Head of Enforcement at the ICO, said in a statement.

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back,” Poole said.

Source: Out-Law.com

What this means for companies in the UK is that not only will they face potential fines of up to £300,000 from PCI they will also, potentially face a double fine from the ICO as well. That gives a total potential fine of up to £800,000. How many businesses could afford to pay that, as well as the costs involved in the recovery of any monies lost by the card companies caused by fraud following the failure of a business to take the measures required by PCI-DSS.