NZ businesses without PCI DSS compliance targets for hackers

New Zealand businesses without PCI DSS compliance becoming “soft targets” for hackers

New Zealand lagging drastically behind UK and US, says security assessor

A leading data security assessment company says that New Zealand businesses are becoming “soft targets” for malicious hackers because they are lagging significantly behind the US and UK in achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) introduced by the Payment Card Industry Security Standards Council (PCI SSC).

Roger Greyling, an experienced security consultant with Security-Assessment.com (a Dimension Data company), says that unlike the USA where companies are required by law to disclose details of data security breaches, and the UK, where internet service providers and telecommunications companies are required by law to disclose data breaches under the current European Union data protection directive, no such legislation exists in Australasia.

“Currently the focus is on the clean-up of data security breaches rather than prevention. There has been no impetus for businesses to reveal data exposures and minimal fines imposed, which means there is limited incentive for businesses to comply with the PCI DSS.”

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognised information security standard for organisations that store, process or transmit cardholder information. In 2004, with the collaboration of five major international credit card companies, the standard was created to improve controls around cardholder data for the purposes of reducing credit card fraud.

“As we saw with recent high profile data breaches at Sony and Lush Cosmetics, an organisation’s reputation and assets are constantly vulnerable to attack from unscrupulous individuals.”

Mr Greyling says that the Information Commissioner's Office (ICO) in the UK can now impose a penalty of up to £500,000 for breaching the Data Protection Act, the result of which is likely to be a heightening of vigilance and installation of robust security measures in that region.

“As international hackers find it tougher to breach the increased security measures set up by businesses in their own countries, there is a growing danger that New Zealand companies will be seen as soft targets by these same hackers,” says Mr Greyling.

Mr Greyling says that in 2011, Security-Assessment.com had dealt with an increasing number of businesses that have experienced security breaches, but much of it goes unreported.

“In New Zealand, the Privacy Commission requests that security breaches be reported to them, but without an official mandate, companies are reluctant to do so for obvious reasons. It happens more often than people realise. When it comes to data security, prevention of a breach is clearly better than any costly cure.”

Mr Greyling cites NZ-based payment processing company Debitsuccess as a leading example of a business that has taken the initiative to comply with the latest version of the PCI DSS. Security-Assessment.com was the Qualified Security Assessor Company (QSAC) that undertook the external Report on Compliance (RoC), carried out at Debitsuccess.

“Debitsuccess handles billing for more than 1,200 businesses, making them one of the largest full service direct debit initiators in Australasia,” says Mr Greyling.

“After initial due diligence, Debitsuccess decided to seek Level 1 compliance under the new ‘version 2.0’ Standard, which was not a compulsory requirement at the time.”

Mr Greyling says having now achieved a passing Report on Compliance (RoC), Debitsuccess is one of a few companies in Australasia to meet the latest version 2.0 requirements.

“Although Debitsuccess does not currently process the number of credit and debit card transactions that would mandate an external assessment to accredit the company as being Level 1 PCI DSS compliant, their exceptional achievement in a relatively short period of time puts them on the leading edge of businesses that take information security seriously.”

“The bottom line is that there needs to be a unified approach across government and financial institutions that moves New Zealand and Australia towards motivating businesses towards stricter compliance with the PCI DSS if we are to avoid becoming soft targets for data hackers on the global stage.”

To receive more information about the secure payment processing services that Debitsuccess can provide, contact info@debitsuccess.com.

For more information about Security-Assessment.com visit the website – www.security-assessment.com .

ENDS

© Scoop Media