EACH time a credit card is used in a transaction, that payment card number takes a long and winding trip between merchants, banks, systems and third parties. As such, the risk of identity theft, customer data loss and security breaches has grown rapidly, as organisations grapple with the best ways to transport business-critical.

Unfortunately, breaches are frequent - card data is leaked through e-mail systems, off stolen laptops or off CDs. Such episodes not only result in personal and financial information being compromised, but also loss of confidence in the company with which the customer was transacting business with when the fraud occurred. This loss of confidence can happen even when the breach was perpetrated by a third party and not directly the fault of the company involved in the transaction. The consequences for the merchant are equally, if not more, painful in the event of a security breach leading to credit card fraud or data theft. According to Forrester Research, an average security breach can cost a company between US$90 and US$305 per lost record. The merchant is left in the arduous position of having to bear with possible legal action, an erosion of their brand reputation and any expenses necessary to rectify this damage and the inevitable loss of these customers.

In response to growing industry and consumer concerns, the Payment Card Industry (PCI) Security Standards Council - comprising American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International - has created the PCI Data Security Standard (PCI DSS) designed to protect card-holder data.

There are 12 principles which make up the PCI DSS, divided into six categories. The first category, for instance, is 'Build and maintain a secure network', with two requirements: install and maintain a firewall configuration to protect cardholder data; and, do not use vendor-supplied defaults for system passwords and other security parameters. The other categories cover areas like protecting cardholder data, maintaining a Vulnerability Management programme, implementing strong access control measures, and monitoring and test networks and security systems and processes.

Incentives

The PCI DSS is not law, but rather an exercise in industry self-regulation, requiring the compliance of all merchants and service providers that store, process or transmit cardholder data.

All payment channels, including e-commerce enabled websites using an online payment gateway, are subject to the policy, while compliance is maintained through a combination of incentives and the imposition of onerous penalties such as fines and other sanctions for non-compliance.

Incentives include the ability to retain preferential processing fees; penalties may be fines of up to US$500,000 per incident or US$50,000 per day levied for non-compliance. Other sanctions may include the removal of point-of-sale equipment and/or revocation of card association memberships. The scope and nature of both incentives and penalties are left to individual card associations to determine.

Growing acceptance of the Internet as a convenient marketplace, coupled with the high costs to both the customer and merchant of a security breach leading to credit card fraud or data theft, makes it imperative that merchants implement available security technologies to achieve compliance with the PCI DSS and minimise the risk of such breaches.

What is needed is an ongoing, proactive and systematic approach towards the protecting of data. This begins by securing all the communication channels between the various parties involved in the transaction. There are now IT solutions available that are able to protect the two most common channels used in online credit card transactions - e-mail and file transfers.

Apart from protecting e-mail communications, there is a need to protect communications between merchants and the payment processor. Securing these types of file transfers is critical as they involve massive amounts of sensitive data.

Fortunately, solutions are currently available that can ensure end-to-end protection for file transfers through a two-tier security architecture comprising strong encryption and access controls.

The bottom line is a system that can generate the confidence necessary to make online credit card transactions comfortable for everyone.

The writer is the Regional Vice-President, Asia-Pacific & Japan, Tumbleweed Communications