'Currently the focus is on the clean-up of data security breaches rather than prevention. There has been no impetus for businesses to reveal data exposures and minimal fines imposed, which means there is limited incentive for businesses to comply with the PCI DSS,' says Roger Greyling, a security consultant with Security-Assessment.com.
'As we saw with recent high profile data breaches at Sony and Lush Cosmetics, an organisation's reputation and assets are constantly vulnerable to attack from unscrupulous individuals,' Greyling cautions.
The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognised information security standard for organisations that store, process or transmit cardholder information. In 2004, with the collaboration of five major international credit card companies, the standard was created to improve controls around cardholder data for the purposes of reducing credit card fraud.
According to Greyling, the Information Commissioner's Office (ICO) in the UK can now impose a penalty of up to £500,000 for breaching the Data Protection Act, the result of which is likely to be a 'heightening of vigilance and installation of robust security measures in that region.'
On Australia, Greyling says that as international hackers find it tougher to breach the increased security measures set up by businesses in their own countries, 'there is a growing danger that Australasian companies will be seen as soft targets by these same hackers.'
In 2011, Security-Assessment.com had dealt with an increasing number of businesses that have experienced security breaches, according to Greyling, but he says that much of it goes unreported. 'It happens more often than people realise. When it comes to data security, prevention of a breach is clearly better than any costly cure.'
Greyling cites Australian payment processing company Debitsuccess as a leading example of a business that has taken the initiative to comply with the latest version of the PCI DSS.
'Debitsuccess handles billing for more than 1,200 businesses, making them one of the largest full service direct debit initiators in Australasia. After initial due diligence, Debitsuccess decided to seek Level 1 compliance under the new 'version 2.0' Standard, which was not a compulsory requirement at the time.'
According to Greyling, having now achieved a passing Report on Compliance (RoC), Debitsuccess is one of a few companies in Australasia to meet the latest version 2.0 requirements. 'Although Debitsuccess does not currently process the number of credit and debit card transactions that would mandate an external assessment to accredit the company as being Level 1 PCI DSS compliant, their exceptional achievement in a relatively short period of time puts them on the leading edge of businesses that take information security seriously.'
'The bottom line is that there needs to be a unified approach across government and financial institutions that moves Australia towards motivating businesses towards stricter compliance with the PCI DSS if we are to avoid becoming soft targets for data hackers on the global stage,' Greyling concludes.