This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print this page

Improving the security of credit card data

Adopting the PCI’s Data Security Standard will help retailers tighten their data

Online and in stores, shoppers are becoming increasingly concerned about their privacy. As a result, the credit card issuers are taking proactive steps to ensure there is proper security around consumers’ confidential data. Today’s credit card issuers are leading the way with a new global standard. In March 2005, an association of credit card companies announced a new Payment Card Industry (PCI) Data Security Standard.

The standard requires higher security for merchants that process a high volume of credit card transactions — six million a year — and it standardizes security practices around the world. For shoppers, the result is that their credit card information will be better protected by a variety of means including firewalls, encryption and restricted access.

Any merchant that processes a high volume of transactions a year — whether online or in-store or both — must be certified annually by a third-party firm. In Canada, at least 20 of the largest retailers and as many service providers will have to meet the new PCI requirements. The certification, which can only be granted by a  Qualified Security Assessor (QSA), confirms that the retailer is compliant with a host of security measures.

Only four Canadian firms are designated to act as independent security assessors. Deloitte is one of them. “We’re certified to provide the external assessment of these retailers and service providers and to make sure that they remediate any problems,” explains Doug MacPherson, of Deloitte’s Enterprise Risk group. “Then we inform the credit card issuer and the acquirer that the merchant is compliant.”

The digital dozen of credit card security
The PCI certification consists of 12 security measures, like safeguarding systems and data from computer viruses, and installing and maintaining a firewall. But these “digital dozen” requirements also involve more complex steps: organizations must establish a hiring policy for staff and contractors, and assign each person a unique ID for accessing data. In addition, they must track the accessing of data, including read-only access, by each and every employee.

Currently, merchants or retailers that fall below the high volume threshold do not have to be independently assessed and certified under the PCI standard. But some credit card issuers, such as Visa Canada, have established national requirements for major retailers. For instance, Visa’s Account Information Security program requires merchants in Canada that fall below the threshold (whether they’re bricks-and-mortar, mail-order or telephone-order merchants) to ensure that an independent third party reviews their self-assessment.

Reduced risk, increased confidence
Such security programs have been in place for several years, due largely to the rapid growth in online shopping. The difference is, now there is a global association of credit card issuers enforcing a worldwide standard. Although the PCI measures only apply to Canada’s largest retailers, other standards, such as Visa’s AIS program, are also demanding tighter security. Industry observers predict that smaller retailers will soon have to adopt similar security measures.

The players 

The payment card industry has its own language. Aside from consumers, there are a number of key players involved in credit card transactions behind the scenes.

  • The issuer – a credit card company, such as Visa
  • The acquirer – a credit card processor, such as Moneris
  • The merchant – a credit card acceptor, such as Sears
  • The service provider – the network or server between the merchant and the acquirer, such as NCR
Deloitte Image