Woolworths risks costly security gaps

Beverley Head
Monday, 29 November 2010 14:29

Business IT - Networking

Three years after bringing in a specialist from the Reserve Bank to beef up IT security, Woolworths is still plugging gaps in its PCI compliance regime, potentially exposing the retail giant to fines of up to $500,000.

Level One retailers - which process more than 6 million Visa transactions a year were supposed to be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS) by 30 September this year or risk large fines. Speaking at a Cebit organised security conference in Sydney today, Peter Cooper, group information security manager for Woolworths, acknowledged that the organisation was still plugging the gaps.

Mr Cooper told delegates at the event that in general 'companies don't see value from compliance - they do the minimum they have to do to comply.' Woolworths' CEO however was 'particularly interested in protecting customer information.'

As a large retailer which handles credit card details, Woolworths is obliged to comply with the PCI regime, and adhere to the PCI DSS standards. Mr Cooper said that on arrival at the retailer from the Reserve Bank three years ago he had identified privacy breaches and PCI compliance as two key issues that needed to be addressed, and had begun a programme of PCI remediation.

In addition Woolworths had determined that all new programmes would be designed to be PCI compliant. He said that an education and compliance programme called Cardsafe had also been rolled out in the group to promote awareness.

'We had very specific requirements for policy and practices. We had quite a few gaps - we are filling them in now,' he said.

The problem is that the deadline for compliance was in September this year, technically putting the retailer at risk of fines of up to $500,000 which can be levied by card issuers (and imposed on retailers by issuing banks). Mr Cooper today told delegates that; 'We will try to use the PCI DSS where we can.'