Following the shopping weekend that caused ‘Black Friday' and ‘Cyber Monday' questions have been asked whether a level of 'preparedness' should be part of PCI DSS compliance for ecommerce sites.
In an SC Magazine debate, opinions contrasted on whether sites should be better prepared without having to recruit extra staff and as part of the regulatory rulings.
One commenter said that the answer ‘is obviously yes' as ‘why [would] anyone risk their site being off line at the busiest shopping time of the year'.
In agreement was Amichai Shulman, CTO of Imperva, who pointed at the YouGov/VeriSign survey. He said: “Judging by data from the survey it is apparent that ecommerce sites who could demonstrate their commitment can increase their traction and sales, not only by appealing to existing online shoppers but to an entire population that is currently refraining from doing online shopping.”
However Dave Whitelegg, information security manager at Capita, said: “No, simply put the PCI DSS is about protecting cardholder data, and is not about payment processing availability, nor should it or will it ever be about anything else.
“As long as backup systems/data recovery environments are operated in full compliance with the PCI standard, that is all that is important as far as the standard is concerned, the ability to take a transaction or not has no relevance to the purpose of the PCI standard.”
Commenting, Simon Black, managing director of Sage Pay, said that he saw this as a possibility rather than as mandatory.
Black said: “This is absolutely not a PCI thing but good business management, we are seeing traffic growth every year and in ecommerce you need to be planning ahead and plan for significant growth.”
He further claimed that leads should be taken from high street retail stores, which are designed to handle as many customers on a weekend in December rather than on a weekday in February, by factoring in peak times.
“If it is done badly it could lose business and indirectly create a security issue”, said Black.