Director at Watson Hall Ltd
12 August 2011 09:12am
An ICO press release on Wednesday relating to Lush Cosmetics insecure website and data breach in Oct 2010-Jan 2011 mentions they see PCIDSS for online retailers as part of a personal data protection strategy:
"As a result of the breach, the ICO has required Lush to sign an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard. The ICO is taking this opportunity to warn online retailers that if they do not adopt this standard, or provide equivalent protection when processing customers’ credit card details, they risk enforcement action from the ICO.
Has this affected what anyone is doing?
Ecommerce Director at Monocore
24 August 2011 09:48am
Very interesting, Colin. I am assuming from the nature of the Lush breach that the ICO is referring to only those non-PCIDSS-compliant online retailers who handle card data themselves. However, if that's the case then their statement is poorly worded and confusing.
Forcing the many thousands of online retailers who use third party payment gateways to become PCIDSS compliant seems extreme, given that they've already been responsible enough to use a payment gateway to minimise risk in the first place. Like the cookie legislation, it's also likely to increase costs for retailers too.
Card data aside, though, the thing that's always baffled me with PCIDSS and e-commerce platforms in general is how few of them actually bother to encrypt customer data.
Passwords are typically encrypted with md5 (which is crackable with enough time) but the bulk of other personal data, including email, name and postal address are not (at least in most of the platforms I've seen). Granted, they're not as sensitive as credit card details, but I'm sure most people would expect them to be stored more securely than they are.
24 August 2011 18:22pm
Yes, I presume it means "other non-compliant online retailers". Online retailers who use third party payment gateways, and have no card data themselves, still have to comply - but the scope is often much reduced.
MD5 hashing strictly isn't encryption at all (it is "hashing"), but you are correct, that method can be reversed. Avoiding collecting such data and minimising its retention can also help. Encryption is almost always a great control for data in transit & stored data (e.g. backups), but access control of decrypted data in use needs to be thought about too. Encryption also requires careful storage and management of the keys.
Free market research on digital marketing
Daily Pulse: award winning newsletter
It takes 30 seconds to register