|
|
|
| |  | | | Complete our general enquiries online form and we will contact you. |
|  |
|
|
|
| |
|
| |  | |
|
| |
|
|
| |
Retail Matters May 2007
Welcome to Retail Matters which aims to highlight some current legal issues relevant to the retail sector. Cobbetts has extensive experience of advising clients involved in the sector, both retailers and those involved in other parts of the supply chain.
Our experience is spread across a wide range of legal issues and also across our network of offices. We are keen to use our experience, knowledge and contacts in the sector for the benefit of our clients. This newsletter is one way in which we can share some of our experience with you.
New standard to combat credit card fraud
As credit card fraud continues to increase, the major credit card brands have reacted by introducing a new set of controls for enhancing payment security across the globe: the Payment Card Industry Data Security Standard (PCI DSS v1.1.).
Members, merchants and service providers must follow the requirements of the new standard in line with their contracts with the credit card companies.
The standard contains 12 requirements, which are intended to help organisations take active steps to protect their customer’s account information.
In order to fully comply with the standard, every organisation to which the standard applies must implement all of the controls and annually audit their effectiveness. As from 1 January 2007 all new certifications and re-certifications must be based on PCI DSS version 1.1.
Penalties for non-compliance are severe and could result in major embarrassment or damaged reputations. Offending companies can be barred from processing credit card transactions, higher processing fees can be applied and, in the event of a serious breach, fines of up to £250,000 can be levied for each instance of non-compliance.
The 12 requirements, which may be enhanced and updated as required by the PCI Security Standards Council as circumstances require, are as follows:
To build and maintain a secure network
Requirement 1: install and maintain a firewall configuration to protect cardholder data
Requirement 2: do not use vendor-supplied defaults for system passwords and another security parameters
Protect cardholder data
Requirement 3: protect stored cardholder data
Requirement 4: encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
Requirement 5: use and regularly update anti-virus software
Requirement 6: develop and maintain secure systems and applications
Implement strong access control measures
Requirement 7: restrict access to cardholder data by business need-to-know
Requirement 8: assign a unique ID to each person with computer access
Requirement 9: restrict physical access to cardholder data
Regularly monitor and test networks
Requirement 10: track and monitor all access to network resources and cardholder data
Requirement 11: regularly test security systems and processes
Maintain an information security policy
Requirement 12: maintain a policy that addresses information security
Further details can be found at www.pcisecuritystandards.org/tech/index.htm
If you have any queries, or require more detailed advice on this or any other related issue please contact:
Susan Hall
0845 165 5409
susan.hall@cobbetts.com
| |
|
|
| |
|
|
|
|
|
|
|
|
Publications & Events 
