[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Monday, 18 April, 2005, 07:45 GMT 08:45 UK
Web shops face tighter security
By Mark Ward
Technology Correspondent, BBC News website

Shopping trolley on sign, BBC
Websites are being forced to take care of shopper data
Web shops are being forced to improve the way they handle customer data.

From 30 June this year all web shops will have to comply with strict security standards drawn up by the world's big credit card companies.

Online shops will be certified annually and checked quarterly to ensure they maintain the security standards.

Websites which flout the rules could be banned from trading or left to soak up the costs of break-ins all by themselves.

Locked door

The move to tighten up security at online shops happens as increasing numbers of firms report that customer data has been lost or stolen.

In February the Bank of America said it had lost more than 1.2 million customer records - though it said there was no evidence that the data had fallen into the hands of criminals.

More recently LexisNexis, ChoicePoint and HSBC have all revealed that data about customers has been lost to attack by criminal hackers.

It is estimated that this year alone more than 2 million customer records have gone missing or been stolen.

In an attempt to raise the baseline security practices of online merchants and payment processing firms, Mastercard, Visa, American Express, Diners, Discover, and JCB have drawn up standards that dictate what web shops must do to keep safe.

Before these standards were drawn up separate credit card firms and banks had their own different security compliance programs.

Money in cash box, BBC/Corbis
Firms that lose customer records could suffer
"But on data security it became very apparent that this an industry issue that needed to be addressed by the industry as a whole," said John Verdeschi, vice president in Mastercard's VP internet security and e-commerce division.

Now all the big credit card firms are aligned behind the Payment Card Industry Data Security Standards that force secure practices on web shops and payment processors.

To comply firms must scan networks four times a year and carry out an annual audit to ensure that the way they work is as safe as the standards demand.

Basic steps

All web shops that process more than 20,000 transactions per year will have to comply with the PCI standards no matter where they are in the world. This means that tens of thousands of web shops will have to become compliant with the new rules.

The standards go as far as to dictate what length passwords must be, how often they must be changed and force firms to be very careful with credit card information and who gets access to it.

Philippe Courtot, founder of security firm Qualys which will help firms ensure they comply with the standards, said firms that flout the rules face having payment requests refused or bearing the cost of security breaches by themselves.

If large numbers of credit card numbers were stolen or lost, liabilities could run into millions.

"If you do not adopt these rules and do suffer a compromise the cost of that could be excruciating," said Mr Verdeschi. "That's a pretty good incentive to accomplish this."

Chris Dipple, technical director of UK payments processing outfit SecPay, said anyone that wants to keep on trading on the net must comply with the standards.

"The banks will not talk to you unless you have these standards," he said.

Mr Dipple said there was no doubt that many merchants would have to undergo big changes in the way they worked to comply and prove that they are taking enough care.

"I'd encourage any major merchant to get on with it even if Visa and Mastercard are not knocking on their door at the moment," he said.

Security scare hits HSBC's cards
15 Apr 05 |  Business
Data safety at top of the agenda
15 Apr 05 |  Technology
Have hackers recruited your PC?
17 Mar 05 |  Technology
Rise of zombie PCs 'threatens UK'
22 Mar 05 |  Technology
The spies watching while you type
17 Mar 05 |  Technology
Net security bug prompts warnings
13 Apr 05 |  Technology

The BBC is not responsible for the content of external internet sites


News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific