Survey issues retail PCI 3.0 warning
By Retail Technology | Friday November 1 2013
The majority of retail sector does not meet new PCI data security standards, according to recent industry security management survey results
The results of a survey into levels of readiness for the upcoming introduction of version 3.0 of the Payment Card Industry Data Security Standards (PCI DSS) have found retailers lacking.
The new version 3.0 PCI standards will require businesses to implement and perform penetration testing. And it will clarify different methods of secure authentication and session management so businesses can better protect themselves against man-in-the-middle, man-in-the-browser and other similar cyber attack methods when it becomes effective on 1 January 2014.
But the survey of over 160 UK and US retail respondents out of 1,320 IT security, operations and risk management, business operations, compliance/internal audit and enterprise risk management professionals, carried out by security management provider Tripwire with the Ponemon Institute, found very few were already prepared.
Testing a lack of readiness
Only 41% of retail respondents questioned used penetration testing to identify security risks. Just over a third (34%) measured the reduction in access and authentication violations to assess risk management efforts. And only 44% of the retail sector had fully or partially deployed file integrity monitoring.
But a further 62% of IT professionals in the retail sector said that negative facts about security risks are filtered before being communicated with senior executives.
“Although these survey results don’t reflect it, the retail industry is very focused on PCI 3.0 compliance,” commented Michael Thelander, director of product management for Tripwire. “And Tripwire is hard at work to make these new controls less expensive, easier to implement, more scalable and more intelligent out of the box.”
PCI DSS and Payment Acceptance (PA) DSS versions 3.0 will be published on 7 November 2013. Version 2.0 will remain active until 31 December 2014 to give merchant organisations adequate transition time.