The burden of payment card industry (PCI) compliance is costing Australian companies thousands of dollars each month as organisations struggle to meet the stringent requirements of the data security standard known as PCI DSS.
Managed security service provider, earthwave, has become the first Australian provider of its kind to attain the Payment Card Industry Data Security Standard (PCI DSS) certification, a set of rules and requirements that govern the handling of credit card data.
The certification comes in response to increased calls from clients, as payment card brands such as Visa and Mastercard begin to enforce fines for non-compliance with the standard. And recent changes to the PCI DSS require merchants who outsource their security infrastructure management to ensure their providers have also gained the Attestation of Compliance.
The PCI DSS was developed by the PCI Security Standards Council, which includes major payment players such as Visa and Mastercard. It applies to anybody who stores, processes or transmits cardholder data. The validation requirements vary based on factors such as transaction volume. And, in addition to the requirements already in play, Visa will begin to enforce its Prohibited Data Storage Deadline for Level 1 and 2 merchants from September 30.
“We have seen a big push from clients,” said Carlo Minassian, CEO of earthwave, whose clients range from merchants to hosting providers who themselves don’t want to have to go through the accreditation process. “Half our clients were already being fined for each month of non-compliance and those fines are quite hefty.”
The new PCI standard mandates the need to have a certified service provider so that they are not the weakest link in the chain, Minassian said. While this doesn’t generally include providers such as ISPs who provide interconnectivity – communication links without access to the application layer of the communication link – relatively few Australian providers have achieved the certification.
Meeting the requirements, which take in aspects such as firewall management, intrusion detection, logging, file integrity monitoring and alerts, can be a lengthy process for companies just beginning their compliance journey. But earthwave’s managed security services already hold accreditations such as the Information Security Management System standard ISO 27001 and the Defence Signals Directorate’s ICT security management standard, ACSI 33.
“We didn’t realise the impact of the accreditation until a couple of months ago,” Minassian said. “But many of our clients began to tell us they needed to engage a service provider who was specifically certified.”
Bridge Point Communications undertook the compliance assessment, which took about two months and specifies 12 requirements across security technology and business processes.