Mr Cooper told delegates at the event that in general 'companies don't see value from compliance - they do the minimum they have to do to comply.' Woolworths' CEO however was 'particularly interested in protecting customer information.'
As a large retailer which handles credit card details, Woolworths is obliged to comply with the PCI regime, and adhere to the PCI DSS standards. Mr Cooper said that on arrival at the retailer from the Reserve Bank three years ago he had identified privacy breaches and PCI compliance as two key issues that needed to be addressed, and had begun a programme of PCI remediation.
In addition Woolworths had determined that all new programmes would be designed to be PCI compliant. He said that an education and compliance programme called Cardsafe had also been rolled out in the group to promote awareness.
'We had very specific requirements for policy and practices. We had quite a few gaps - we are filling them in now,' he said.
The problem is that the deadline for compliance was in September this year, technically putting the retailer at risk of fines of up to $500,000 which can be levied by card issuers (and imposed on retailers by issuing banks). Mr Cooper today told delegates that; 'We will try to use the PCI DSS where we can.'
Asked by iTWire how advanced Woolworths was with PCI DSS, and how long it would take to achieve full compliance, Mr Cooper declined to comment.
Ajay Unni, managing director of Stickman Consulting, also presenting at the conference, said that achieving PCI compliance, which demanded adherence to six codes and a list of 12 requirements cost retailers millions of dollars. However he said that there were fines of up to $500,000 available to the card issuers for non compliance.
He outlined a recent PCI remediation that the company had completed for an Australian retailer, which had introduced new processes and systems - and outlawed such spurious practices as sending customer credit card data in emails.
Mr Unni said that all Australian retailers which handled credit card details were obliged to comply with the PCI DSS standards, and said that he was aware of a number of fines which had been issued already after breaches of the compliance code were detected.