Visa working with Australian vendors on security issues

21.08.2006
Online merchants will find meeting the Payment Card Industry Data Security Standard (PCIDSS) neither intrusive nor expensive if the quarterly penetration tests are mandated in Australia.

Last week, Computerworld reported that mandates for Visa Level Four merchants in the U.S. say they must submit to quarterly network vulnerability scans, as well as filling out a 75-question, self-assessment form annually.

The practice has yet to be mandated in Australia and Visa-approved penetration testers contacted by Computerworld said that only detailed Web Application and penetration testing will provide a greater level of assurance - a requirement within the overall standard, but one not formally assessed at the "lower end".

Robert Goldberg, KPMG risk advisory partner, said Visa has already worked out a relationship with various service providers to provide basic scanning tools to minimize both cost and impact; small credit card merchants should not find compliance, if mandated in Australia, either intrusive or expensive.

"The reason it [compliance] gets a negative reaction from merchants is [because] when they implement applications and set up their network none of these requirements were built-in, so the merchants end up bolting on security they never even considered to begin with," Goldberg said.

"Time to market for usability and the time to market online is key and diametrically opposed to security, but in my view compliance should be a business enabler done in a safe manner.