Not a month seems to go by without a report of a new high-profile data theft. The hacking of The Sun's customer database was followed by a breach in the Sony PlayStation Network, and cosmetics retailer Lush has also slipped on the proverbial bar of soap.
Each and every time a credit card transaction is made, the consumer voluntarily hands over his or her details to a multitude of companies involved in processing, authorising and recording the transaction. The Payment Card Industry Data Security Standard (PCI-DSS) exists to ensure that online retailers and others involved in payment processing meet the specified criteria relating to the handling of this data. It is enforced by credit card issuers and is not a legal mandate.
So as long as it is not a legal requirement, some card data processing organisations will try to find low-cost ways of achieving certification, and smaller retailers may not bother at all and simply hope to remain below the radar. Companies need to view security as an investment rather than a cost, and stronger enforcement of the standard will be needed to make this happen.
Take the case of Lush. In August, it was found to be in breach of the Data Protection Act (DPA) by the Information Commissioner's Office (ICO). The Government data and privacy watchdog investigated hackers' access to customer data, including the payment details of 5,000 customers who had made online purchases from the company.
A spokesperson for the ICO explained: “Lush took some steps to protect their customers' data but failed to do regular security checks and did not fully meet industry standards relating to card-payment security. The retailer's methods of recording suspicious activity on its website were also insufficient, which delayed the time it took to identify the security breach.”
Lush was lucky to escape with having to sign an undertaking to ensure that future customer credit card data will be processed in accordance with PCI-DSS. While there was no fine, this would have been a very embarrassing episode for Lush's managing director.
The ICO has the power to fine companies up to £500,000 for poor data-protection practice, but last year it emerged that it had issued fines for less than one per cent of the breaches it had investigated. However, the ICO recently announced that companies will face harsher fines if they fail to protect personal data.
PCI-DSS exists to ensure retailers meet specified criteria related to handling this data, but so long as this is enforced by credit card issuers rather than through legislation, some organisations will undoubtedly ignore it altogether or try to find a low-cost way of achieving certification with the minimum of effort.
Protecting a user's card details means building credit and debit card processing systems with security in mind from the ground up. It is not about treating standards such as PCI-DSS as a mere box-ticking exercise applied retrospectively to an existing system for the minimum possible cost.
There were more than 31 million people shopping online last year, and the number of credit card transactions will continue to rise. Retailers need to recognise the value to their brands of the information that they hold and the importance of protecting it.
Do we need to wait for the inevitable Enron-style breach before being forced into a knee-jerk and heavy-handed Sarbanes–Oxley-type legislation?
We think not. Security is an investment and not a cost, and we need to start investing now. While we recognise the value of what the payment card industry has set up and the role that the ICO plays in policing the field, what we really need is for these security requirements to be enshrined in law.
We need to make them part of the legal fabric of doing business in the UK. By enshrining them in law we will reduce slip-ups in the future and, if they do happen, ensure that offenders are properly chastised for their lack of care.
Reducing credit card security breaches, particularly relating to online retail, will result in increased consumer confidence and higher spending, benefiting all retailers – but only if they make the investment in security now.
Ray Welsh is head of marketing at The Bunker