Royal Holloway Series 2010 Data Standard HOME

WHAT IS (PCI DSS) – What it is and PCI DSS?

WHY WE its impact on merchants NEED IT? IS IT EFFECTIVE?

The Payment Card Industry Data Security Standard aims to reduce ITS IMPACT ON MERCHANTS fraud by promoting the secure handling of payment card data. SURVEY OF UK Martin Bradley and Alexander Dent explain the principles MERCHANTS behind it, and assess its impact on retailers. FOOTNOTES & BIBLIOGRAPHY

1 Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants

1. WHAT IS IT? An organisation is certified as being compliant HE Payment Card Industry Data Security after undertaking a security assessment Standard (PCI DSS) [PCI06] was intro - against these requirements. The assessment duced to improve the security applied may be carried out by an independent asses - HOME to the protection of payment card data. sor, known as a Qualified Security Assessor

It applies to all retail merchants, , WHAT IS vendors, or any other FIGURE 1 PCI DSS? Torganisation that transmits, processes PCI DSS PRINCIPLES AND ASSOCIATED REQUIREMENTS or stores such data. Organisations who fail to WHY WE Build & Maintain a • Install & maintain a firewall configuration NEED IT? comply risk being issued with financial penalties. Secure Network • Do not use vendor supplied defaults for system passwords and other security parameters When a customer makes a purchase in a shop, IS IT EFFECTIVE? at a petrol station, in a , or online with Protect Cardholder Data • Protect stored cardholder data • Encrypt transmission of cardholder data across ITS IMPACT ON a or , they should expect their open, public networks MERCHANTS data to be looked after in a manner which pro - Maintain a Vulnerability • Use & regularly update anti virus software tects them from potential fraudsters. A PCI Program • Develop & maintain secure systems and SURVEY OF UK DSS compliant organisation should be able to applications MERCHANTS demonstrate that they are looking after the Implement Strong Access • Restrict access to cardholder data by business FOOTNOTES & customer’s credit or debit card data safely. Control Measures need to know BIBLIOGRAPHY • Assign a unique ID to each person with The PCI DSS is formed of a set of 6 principles computer access with 12 technical and operational requirements • Restrict physical access to card holder data for security management, policies and proce - Monitor & Test Networks • Track & monitor access to all network resources dures, network architecture, software • Regularly test security systems and processes and physical security. Figure 1 , right, shows Maintain an Information • Maintain a policy that addresses information these principles and associated requirements. Security Policy security 2 Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants

(QSA) 1, or, in the case of some merchants, 6 million card transactions annually. This is compliance may be certified by an internal the level into which most large retailers will audit function or Self Assessment Question - be categorised. naire (SAQ). PCI DSS categorises merchants PCI DSS applies wherever the primary account into one of four levels; these levels are deter - number or PAN is stored, processed or transmitted. mined by the volume of card transactions Other card holder data, such as the card holder that are processed by a merchant. Each card name must also be protected if it is stored in scheme 2 also keeps its own definition, which conjunction with the PAN. Certain data, known HOME is broadly in line with the PCI DSS. A level 1 as “sensitive authentication data,” must also be WHAT IS merchant is a merchant that processes over protected. However, special rules apply that do PCI DSS? not permit a merchant to store this data post 3 WHY WE FIGURE 2 authorisation . The diagram at Figure 2 , left, shows this data on a representation of a pay - NEED IT? CARD DATA REQUIRING PROTECTION ment card. IS IT EFFECTIVE? Sensitive Authentication Data Sensitive Cardholder Data It was back in December 2004 when Visa and Must not be stored under May be held subject to ITS IMPACT ON any circumstances business justification MasterCard jointly produced version 1.0 of the PCI DSS. At the time it could have been MERCHANTS considered a little forward of these two card SURVEY OF UK schemes to call this a “Payment Card Industry” MERCHANTS standard, as only two members of the industry FOOTNOTES & were at that time heavily involved. It was BIBLIOGRAPHY • Card track data When stored… not until September 2006 when American • Card validation data • Must be rendered unreadable Express, JCB and Discover officially announced Card primary account (PAN), • PIN validation value personally identifiable information their support. The formation of a not-for-profit • Issuer discretionary data held in conjunction with the PAN entity in the form of the PCI Security Standards • May be held in clear Card transaction amount, transaction Council (PCI SSC) at the same time also helped date, transaction authorisation code, to promote the standard. The Council is respon - 3 card issue sible for the development, maintenance, stor age Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants and publication of the PCI DSS. The PCI SSC stated that fraudulent use of this payment is an example of an entity created through card data occurred in 83% of these cases. the enactment of the US National A statement from Andrew R Cochran, founder Transfer and Advancement Act (P.L. 104-113) and co-editor of the “Counter Terrorism” blog, whereby the development of voluntary stan - for the “Subcommittee on Emerging Threats, dards from the private sector were actively Cybersecurity, and Science and Technology encouraged. The PCI DSS is enforced through Hearing U.S. House Committee on Homeland a merchant’s contractual relationship with an Security” on March 31st 2009, claimed that HOME acquiring 4. Any penalties for non-compli - the “terrorists who executed the devastating WHAT IS ance are issued by the card schemes to the 2004 Madrid train bombings, which killed almost PCI DSS? acquiring banks. The bank will then pass any 200 people, and who carried out the deadly July penalty on to the defaulting merchant. 7, 2005, attacks on the transportation system in WHY WE London were self-financed, in part through credit NEED IT? [AC09] card fraud” . IS IT EFFECTIVE? 2. WHY DO WE NEED IT? There is currently no Government-backed For many years, organisations have struggled legislation that forces organisations that trans - ITS IMPACT ON to adequately protect their most sensitive mit, process or store cardholder data to safe - MERCHANTS information assets, leading in many cases to guard it in an appropriate manner. Despite SURVEY OF UK breaches of security and the loss or disclosure such as Chip and PIN, that has MERCHANTS of sensitive data. There are many widely publi - been introduced across Europe in an attempt FOOTNOTES & cised incidents of high-profile data losses that to combat card fraud, the criminals are still BIBLIOGRAPHY have occurred across the globe in recent years, able to compromise computer systems where and they are still occurring [PRC09] . The 2009 the data is stored and use it to commit fraud Data Breach Investigations Report [VzB09] found in areas where such controls do not exist. that of the 90 confirmed breaches that they It was around the years 2000 to 2001 when investigated in 2008, 285 million records were notable losses were being reported. These compromised and that 80% of these records include the JK publications case of 2000 [FTC00] 4 involved payment card data. The report also whereby access to a bank’s trans - Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants action records were obtained and used to commit fraud totalling several million dollars. 3. IS PCI DSS EFFECTIVE? These incidents led to the card schemes intro - Since its introduction, the PCI DSS has certain - ducing their own security standards and ly raised the profile of payment card data adding statements into merchant terms and breaches and the fraud that occurs as a result. conditions relating to security of cardholder It has also been effective as a means to data. These standards are still in force and encourage organisations such as retail mer - HOME each card scheme uses these to assist mer - chants, who traditionally have not always been chants in attaining PCI DSS compliance. Figure so heavily regulated, to put in place formal WHAT IS 3, below, shows the respective schemes that plans to address the security of cardholder PCI DSS? underpin the PCI DSS for the major global card data. Whether the PCI DSS has had a positive WHY WE schemes. effect on reducing instances of data breaches NEED IT? Of course, there are still numerous breaches and card fraud is a more difficult question to that have occurred since these standards and answer at this stage. There is no doubting the IS IT EFFECTIVE? PCI DSS were introduced, including perhaps obvious benefits of a good information security ITS IMPACT ON one of the most widely publicised cases – the management system. However, managing risk MERCHANTS TJX breach of 2007. is at the heart of any security strategy and risk SURVEY OF UK MERCHANTS

FIGURE 3 FOOTNOTES & BIBLIOGRAPHY MAJOR CARD SCHEMES SECURITY PROGRAMS

PCI DSS

Visa International Visa Europe MasterCard JCB Information Account Information Site Data Protection Data Security Operating Data Security Program Discover Information & Security Program (CISP) Security (AIS) (SDP) Policy (DSOP) Compliance Program (DICP) 5 Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants assessment is noticeable by its apparent suggest that there is a lack of strong evidence absence as a process within the PCI DSS. This that PCI DSS has had a material impact on does not mean that there are not obvious risks reducing data breaches (although it has been to cardholder data; however, PCI DSS does not stated that the Hannaford organisation was require that individual organisations carry out not PCI compliant at the time of the breach). risk assessments. A risk assessment, if carried out correctly, will identify where cardholder A number of working groups data may be at risk. The assessment should that focus on security have HOME consider existing vulnerabilities that could lead been established to allow WHAT IS to a data breach and should identify the effec - PCI DSS? tiveness of existing controls. This may lead to like-minded organisations recommendations of further appropriate con - WHY WE trols to mitigate that risk to a level that can be to get together and discuss NEED IT? accepted by the organisation. These controls PCI DSS related issues. IS IT EFFECTIVE? may or may not necessarily be the same con - trols specified in the PCI DSS, but should have Despite this lack of effective evidence, there are ITS IMPACT ON the equivalent properties to reduce risk. strong indications that merchants have taken the MERCHANTS Even though the PCI DSS has been in force requirements of the PCI DSS seriously. A number SURVEY OF UK for 5 years, it has been difficult to find material of working groups that focus on security have MERCHANTS indicating that PCI DSS has reduced incidents been established to allow like-minded organi - FOOTNOTES & of data breaches or credit card fraud. Indeed, sations to get together and discuss PCI DSS BIBLIOGRAPHY the Verizon 2009 Data Breach Investigation related issues. Established bodies such as the Report [VZB09] states that the number of financial British Retail Consortium (BRC), the Informa - records breached in 2008 exceeded the com - tion Security Forum (ISF) and the Corporate IT bined total from 2004 to 2007.High profile Forum (tif) include workshops to discuss PCI merchant breaches reported since the introduc - DSS issues for members. Other working groups tion of PCI DSS, such as the Hannaford breach such as the PCI DSS UK Merchants Working 6 [DK08] and the Network Solutions breach [LM09] , Groups have been formed by retail merchants Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants to allow organisations to get together and discuss to combat data breaches and fraud. Ellen the standard, its implications and to share strate - Richey, Chief Enterprise Risk Officer at Visa, gies. Furthermore, there are countless - recognised the limitations of PCI DSS, stating al seminars, workshops and vendor presentations that “the standards provide a strong founda - targeted at affected organisations. tion and the best security strategies build on that foundation into a multi layered approach The payment card industry, that evolves the defence over time” [ER09] . led by Visa and MasterCard, HOME should be praised for actively WHAT IS PCI DSS? doing something about the 4. IMPACT ON UK MERCHANTS WHY WE security of cardholder data The payment card industry, led by Visa and NEED IT? MasterCard, should be praised for actively by introducing PCI DSS. IS IT EFFECTIVE? doing something about the security of card - In this respect, the PCI DSS would seem holder data by introducing PCI DSS. However, ITS IMPACT ON to have been very effective, and, as stated by many merchants would come to realise high MERCHANTS Yvette D Clarke, chairwoman of the subcom - costs, lengthy IT programs and discover diffi - SURVEY OF UK mittee on emerging threats, cyber security, culties in interpreting the standard (see section MERCHANTS and science and technology committee on 5). Supporting the view that there were early issues is a Gartner paper titled, “How to FOOTNOTES & Homeland Security in the US, “in the absence BIBLIOGRAPHY of other requirements they do serve some pur - improve the ailing PCI program” [ALPJ06] . The pose” [YC09] . Kristen Lovejoy, Director of IBM main points raised in this document are: Corporate Security, stated at the VISA security • The process is manual and fraught with summit 2009, “PCI DSS has had the single poor communications greatest impact on the industry” [KL09] . • The card schemes have not established However, the continued breaches suggest suitable compensating controls 5 7 that PCI DSS compliance alone is not enough • The Self-Assessment Questionnaire (SAQ) Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants

does not allow for compensating controls Section 5 describes a sample of the results • The effects of are unclear obtained. • The standard is too broad in scope, too detailed in some areas and not enough in others 5. MERCHANT SURVEY In order to gain some insight into how PCI DSS Of the merchants surveyed had affected some of the largest UK retailers, (including many of the top 10 we asked a selection of retailers to complete a HOME written questionnaire on their PCI DSS compli - WHAT IS UK retailers by as listed ance programme. The questionnaire sought to PCI DSS? in the Mintel Oxygen list of identify how the introduction of the PCI DSS had affected each organisation, and obtain WHY WE top 250 European retailers), views and feedback on their interpretation and NEED IT?

understanding of the standard, its value, and IS IT EFFECTIVE? 100% have a PCI compliance to establish projected costs and timescales. programme in place, and At the time of survey, all merchants surveyed ITS IMPACT ON were level 1 merchants and all had a compli - MERCHANTS 92% felt that the standard ance programme in place. None had been SURVEY OF UK was providing benefit. through a compliance assessment at that time. MERCHANTS Of the merchants surveyed, 12 responded, FOOTNOTES & During 2009 we conducted our own survey of which as mentioned earlier includes many of BIBLIOGRAPHY a number of UK merchants in order to gain the top 10 UK retailers by sales. A summary anonymous feedback on PCI DSS. Of the mer - of the responses is presented in this section. chants surveyed (including many of the top 10 UK retailers by sales as listed in the Mintel Oxygen 5.1 DRIVERS list of top 250 European retailers), 100% have a The major drivers for merchants to comply PCI compliance programme in place, and 92% with PCI DSS were identified as “brand protec - 8 felt that the standard was providing benefit. tion” and to “secure customer data”. Of the Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants choices given, these reasons were scored high suggesting that this is also a way to motivate by a significant majority of merchants. These organisations to comply. two factors are intrinsically linked, in that a breach of security for customer data would 5.2 UNDERSTANDING OF THE lead to a loss of brand reputation that could STANDARD AND GENERAL VIEWS ultimately drive customers away from a partic - A number of questions were asked looking for ular merchant. It is also an indicator that mer - each merchant’s understanding or interpretation chants do seem to take the security of cus - of the PCI DSS. HOME tomer data seriously. The other driver that • 83% of merchants surveyed felt that the WHAT IS scored highly for some was “penalty avoidance”, standard was not issued in an appropriate PCI DSS?

WHY WE NEED IT? FIGURE 4 TABLE SHOWING UK MERCHANTS PREDICTED PCI DSS PROGRAMME LENGTH AND COSTS IS IT EFFECTIVE?

Merchant PCI DSS Programme Start date Predicted Length of Programme (years) Predicted Cost (millions of £) ITS IMPACT ON MERCHANTS 1 Quarter 2 2005 5.25 1 - 2

2 Quarter 1 2006 4.25 5 - 10 SURVEY OF UK 3 Quarter 1 2006 4.25 5 – 10 MERCHANTS 4 Quarter 1 2006 4.75 5 – 10 5 Quarter 2 2006 5.5 5 – 10 FOOTNOTES & BIBLIOGRAPHY 6 Quarter 2 2006 6 10+ 7 Quarter 3 2006 5.5 10+ 8 Quarter 1 2007 3.5 5 – 10 9 Quarter 1 2007 4 5 – 10 10 Quarter 2 2007 2.5 2 – 5 11 Quarter 3 2007 3 2 – 5 9 12 Quarter 4 2007 3.5 5 - 10 Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants manner and without a good explanation of the addressed on an individual basis. requirements. This may be a reflection on the • 83% of merchants surveyed agreed that period in and around 2005 when the standard the later versions of the standard (Version 1.1 was becoming widely distributed to mer - and 1.2) improved the quality and relevance to chants, but with little warning or explanation traditional bricks and retailers. This of its importance and where to find help. appears to support the view that the earlier • 67% of merchants surveyed agreed that version was more focussed towards online- the standard seemed more appropriate to only merchants and that change was required. HOME online merchants than to traditional bricks and • Only 33% of merchants surveyed claimed WHAT IS mortar retailers. On reading the standard, it to be clear on what was needed to achieve PCI DSS? appears in places to be more relevant to, and compliance. Having such a small number of achievable by, online-only merchants 6. The respondents declare that they are clear on WHY WE complex issues on how an established national what they were required to achieve indicates NEED IT? retailer should be expected to comply with the the PCI DSS is complex and that it is not easy IS IT EFFECTIVE? requirements throughout numerous (hundreds to translate the requirements into solutions. It of) locations does not seem to be appropriately is perhaps the diversity of retail IT solutions ITS IMPACT ON considered. For example, requirement 5 in the that contributes to this complexity. This will MERCHANTS standard requires the use of regularly updated likely make it more difficult for a QSA to assess SURVEY OF UK anti-virus software. This applies to all point of a merchant’s compliance and for a merchant to MERCHANTS sale devices (tills). There are huge complexities understand a QSA’s requirement. FOOTNOTES & for retailers in managing and supporting thou - • 100% of the merchants surveyed reported BIBLIOGRAPHY sands of these devices to which even the that it was not easy to obtain good quality and smallest of changes can have a dramatic effect consistent information from the card schemes, on the operation of such a device. For an acquiring banks or their QSA. Inconsistent or online-only retailer, there is no concept of a incorrect information can only serve to frus - physical till. However, as merchants have trate an organisation and is likely to lead to become more aware of how to interpret the inappropriate and delayed solutions being 10 standard, issues such as this have been deployed. It is important that organisations Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants can have confidence in information that is pro - the standard was overall a good idea. Almost vided to them if they are to embrace the stan - all merchants agree that the PCI DSS exists to dard and efficiently. The PCI SSC have improve the security of cardholder data. This introduced more rigour into the process for is another strong indication that merchants certifying a QSA and have welcomed feedback do realise the importance of keeping this data from merchants on these matters. secure and welcome the guidance.

92% of merchants surveyed 5.3 VIEWS ON SECURITY HOME Each merchant was asked questions seeking their believed that there should be WHAT IS views on security and how it may have been PCI DSS? no charge for membership as affected by the introduction of the PCI DSS. • 92% of merchants agreed that the security WHY WE a participating organisation of cardholder data within their organisation had NEED IT?

of the PCI SSC. improved since the introduction of the PCI DSS. IS IT EFFECTIVE? This declaration indicates that despite none of • 92% of merchants surveyed believed that the merchants having been certified as compliant, ITS IMPACT ON there should be no charge for membership as a they are actively looking to implement improved MERCHANTS participating organisation of the PCI SSC. The controls. SURVEY OF UK annual fee of $2500 is seen as a deterrent to • 75% of merchants felt that the PCI DSS MERCHANTS merchants. This indicates that merchants do would not be necessary if more organisations FOOTNOTES & not see a material business benefit in becom - applied security more effectively in the past. BIBLIOGRAPHY ing a participating organisation. Greater inclu - Although all merchants were aware of good sion of merchants could lead to wider accept - standards such as ISO/IEC 27001, the contrac - ance and better understanding, and is perhaps tual obligations and financial penalties are an area that should be addressed by the PCI effective differentiators for PCI DSS. It does SSC ensuring that merchants are aware of the not necessarily mean however that PCI DSS benefits. is a better standard. 11 • 92% of merchants surveyed agreed that • 83% of merchants surveyed have used the Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants

PCI DSS to drive greater security within the that the task is greater than predicted when organisation and to improve the security they began and have revised their plans applied to other sensitive data. The high per - accordingly. Alternatively, the improved centage of merchants who have achieved this resources and expertise now available is demonstrates how the PCI DSS has had a posi - assisting merchants in achieving compliance tive impact on security stretching further than more expediently just cardholder data. There is general recognition that costs to achieve PCI DSS compliance will exceed £5 HOME 5.4 COSTS AND TIMESCALES million. This compares to a Gartner report [AL08] WHAT IS Each merchant surveyed was asked to give undertaken in the US in March 2008 that PCI DSS? projections for when they believed they would reported an average spend of $2.7 million for have completed their PCI programme and be the level 1 merchants (which had increased WHY WE in a position to undergo assessment for com - from an average of $0.5 million in 2006). NEED IT? pliance. Each merchant was also asked to give IS IT EFFECTIVE? an indication of predicted cost for the pro - gramme. The table at figure 4 below shows 6. REDUCING THE ITS IMPACT ON the data gathered from the UK merchants sur - SCOPE OF PCI DSS MERCHANTS veyed starting with the earliest starting date. The high costs that will be incurred by many SURVEY OF UK There is an interesting trend that appears of the larger merchants to achieve compliance MERCHANTS which shows that the merchants who began are partly related to the size and complexity of FOOTNOTES & their programmes earlier are generally predict - their existing environments. Stores networks BIBLIOGRAPHY ing a longer timescale. The average length of have been identified as one area where signifi - time predicted for organisations that began cant cost is incurred to achieve PCI DSS com - their programme prior to 2007 is over 5 years. pliance. Since the original thesis was written, The average time scale predicted by merchants some UK merchants are considering solutions who began their programme from 2007 is just that could reduce the scope of their compli - over 3 years. UK Merchants who began their ance programme. One such initiative is based 12 programme earlier have perhaps discovered on the strong encryption of cardholder data Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants supported by good key management. The inten - solutions [IMJLNL07] . These initiatives and others tion being to reduce the scope of the cardholder are a topic for discussion outside the scope of data environment. Further work is ongoing to this document.  develop this concept for proposal to the PCI SSC. Visa, have already released guidelines to assist merchants who wish to use encryption ABOUT THE AUTHORS as part of their solution [VISA09] . Martin Bradley has worked in information HOME security for 18 years and is currently security WHAT IS 7. FINAL THOUGHTS assurance and compliance manager at Marks PCI DSS? The value of cardholder data is the reason that and Spencer, where he is responsible for the it is sought after information for fraudsters. technical solutions required to deliver the WHY WE The numerous breaches that are still being compliance PCI DSS compliance initiatives. NEED IT? discovered are an indication that payment IS IT EFFECTIVE? card data still holds a high value for criminals. Alexander W. Dent is a lecturer in Initiatives such as PCI DSS are vital in order Information Security at RHUL. His research ITS IMPACT ON to try and reduce the number of successful interests are primarily on the theory of provable MERCHANTS attacks. Other solutions that aim to reduce the security in public-key encryption schemes. SURVEY OF UK value of the data that is held outside highly MERCHANTS secure environments should continue to be FOOTNOTES & investigated. Stronger authentication of the BIBLIOGRAPHY rightful user of a payment card is also required to enable a customer to use their card safely in all situations, including, in person, online and over the telephone. There are already several initiatives that have been introduced or are being investigated, including Chip and PIN 13 [UKP09] , 3D Secure [NC09] and even dynamic PAN Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants

FOOTNOTES 1 A QSA is an individual who has been certified to provide consultancy and guidance on PCI DSS in an official and authoritative capacity. The individual may also conduct PCI assessments on an to determine their compli - ance. The individual must work for a company that has also been authorized by the PCI SSC to provide these services 2 A card scheme is an organisation that controls the operation of credit card transactions, e.g. Visa, MasterCard, American Express. Card schemes set the business rules that govern the issue of the payment cards that carry their logo 3 Authorisation is the process performed by a bank which verifies that the customer's credit or debit card account is valid and that sufficient funds are available to cover the transaction's cost transaction. HOME 4 An acquiring bank is a bank having a business relationship with merchants, retailers and other providers to process their plastic card transactions. WHAT IS PCI DSS? 5 A Compensating Control may be used where an organisation seeking compliance with PCI DSS cannot meet a specific control requirement. An alternative control may be selected if approved by a QSA. WHY WE NEED IT? 6 An online-only merchant is viewed as a merchant that runs an e-commerce Web site for selling only, and does not trade from bricks and mortar retail stores. Most major retailers now run an online store as well as the traditional high street or retail park shops. IS IT EFFECTIVE?

7 The stores network is the term used to describe the IT networks in retail shops. These networks consist of wired and ITS IMPACT ON wireless networks and the devices such as tills, PCs and servers that are connected to them. The stores network usually MERCHANTS has connectivity back to retailers head office network. SURVEY OF UK MERCHANTS BIBLIOGRAPHY [AC09] Prepared statement Andrew R Cochran FOOTNOTES & BIBLIOGRAPHY Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Committee on Homeland Security. March 31, 2009 hearing: “Do the payment card industry data standards reduce cybercrime?” [ALJP06] Avivah Litan and John Pescatore of Gartner Research How to Improve the Ailing PCI Program. 17th February 2006. [AL08] Avivah Litan of Gartner Research PCI. Compliance remains challenging and expensive, page 7 16th May 2008 [DK08] Dan Kaplan,. Article published in Secure Computing magazine reporting on the credit card data breach at the PCI compliant Hannafords, a US supermarket chain. March 18th 2008 14 http://www.scmagazineus.com/Experts-try-to-make-sense-of-Hannaford-data-breach/article/108134/ Royal Holloway Series 2010 Payment Card Industry Data Security Standard (PCI DSS) – What it is and its impact on retail merchants

[ER09] Ellen Richey Chief Enterprise Risk Officer at Visa, March 2009. Presentation at the Visa Global Security Summit 2009 http://www.visasecuritysummit.com/popupVideo.html [FTC00] Court Case of the Federal Trade Commission case against JK Publications in August 2000. http://www.ftc.gov/os/2000/09/jkpublicationfindingsoffact.pdf] [IMJLNL07] Ian Molloy, Jiangto Li, Ninghui Li, Dynamic Virtual Credit Card Numbers – February 2007 http://www.cs.purdue.edu/homes/imolloy/slides/FC07.pdf [KL09] Kristen Lovejoy, director, IBM Corporate Security. Presentation at the Visa Global Security Summit 2009 http://www.visasecuritysummit.com/popupVideo.html HOME [LM09] Linda McGlasson Network Solutions Breach Revives PCI Debate August 10th 2009. http://www.bankinfosecurity.com/articles.php?art_id=1691 WHAT IS PCI DSS? [NC09] Nochex reference for 3D Secure http://www.nochex.com/merchant-account/security-fraud/3d-secure.html WHY WE NEED IT? [PCI06] PCI Standards Security Council https://www.pcisecuritystandards.org/ IS IT EFFECTIVE? [PRC09] 2009 Privacy Rights Clearing House – Chronology of Data Breaches http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP ITS IMPACT ON [UKP09] UK Payments Chip and PIN description of service MERCHANTS http://www.ukpayments.org.uk/payment_options/plastic_cards/card_industry_initiatives/chip_and_pin/-/page/248/ SURVEY OF UK [VISA09] Visa best practices July 2009. Data Field Encryption Version 1.0 MERCHANTS http://corporate.visa.com/_media/best-practices.pdf [VISA09a] PCI DSS qualifying merchant levels published and maintained by Visa FOOTNOTES & BIBLIOGRAPHY http://usa.visa.com/merchants/risk_management/cisp_merchants.html [VzB09] 2009 Data Breach Investigations Report. A study conducted by the Verizon Business Risk Team. http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf [YC09] Prepared statement chairwoman Yvette D. Clarke (D-NY) Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Committee on Homeland Security. March 31, 2009 hearing: “Do the payment card industry data standards reduce cybercrime?” 15