ICO Ruling Sets PCI DSS on Legal Footing For Protection Of Credit Card Data

UK data protection watchdog, ICO, has set PCI DSS compliance as a minimum requirement for the protection of card holder data by companies that hold customer credit card information. The website of Lush Cosmetics Ltd was hacked for four months from Oct ’10 to Jan ’11, resulting in 5,000 customer payment details being compromised and several incidents of card fraud. In not being PCI DSS compliant the ICO ruled that Lush was negligent and failed to meet their legal standing and data protection obligation. In effect if an organisation fails PCI DSS compliance they are also failing their obligations under the Data Protection Act.

The Lush case has set a new precedent which will enforce businesses to ensure that their security safeguards are compliant with industry regulatory standards like PCI DSS, the credit card security certification. ‘Although Lush had measures in place both to keep payment details secure and to record suspicious activity on its website, it was nevertheless found to be in breach of the Data Protection Act’ stated Sally Anne Poole, the ICO’s Acting Head of Enforcement, ‘Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back. This breach should serve as a warning to all retailers that data security must be taken seriously and that the PCI DSS or an equivalent must be followed at all times’.

While Lush restored the security of the website on uncovering the incident, the ICO has compelled the company to sign an undertaking to process credit card data in line with the PCI DSS Payment Card Industry Data Security Standard in the future. ‘While the incident was partly due to the sophistication of the hackers, the ICO considered that Lush’s security measures were not sufficient to prevent a determined attack on their website. Lush was also found to have inadequate procedures for recording suspicious activity on its website, which delayed the discovery of the breach’. The ICO also took the opportunity to warn retailers that if they do not adopt this standard, or provide equivalent protection when processing customers’ credit card details, they risk enforcement action.

This incident highlights the importance for businesses to implement ongoing security procedures to protect and safeguard customer credit card data. Organisations need to ensure that their security safeguards are at least as high as industry standards, requiring continuous review through an automated audit and monitoring process. By issuing an unambiguous warning that enforcement action will be actively pursued in the event of negligence, the ICO have set a new legal precedent which will require businesses to conduct regular security checks in order to comply with industry standards such as PCI DSS and fulfil Data Protection obligations.

About PixAlert

Before an organisation can start to protect sensitive and valuable card holder data (CHD), the first step is to find and document where CHD is stored within an entire data environment. PixAlert’s PCI Automated SCOPE Assessment solution provides a fully automated mechanism to find where CHD is stored on any part of the corporate network. This enables organisations understand the scope and scale of their CHD exposures across their enterprise while creating the necessary groundwork for successful PCI DSS compliance.

For further information contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it or call +353-1-8994750

Original Article Source: Computerworld.co.uk

Author: Gerard Curtin, CEO, PixAlert - 09 February 2012