An IT services firm is urging retailers to check that their service providers, who install, exchange or return defective devices to the manufacturer on the retailer’s behalf, have security agreements in place.
The reason? In a word – or rather two – PCI DSS. That’s short for Payment Card Industry Data Security Standard. It was founded in 2006 by the payment card brands American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc, and members represent merchants, banks, processors and vendors. Visit: www.pcisecuritystandards.org.
A merchant or retailer taking payment cards has to be PCI-compliant for the banks and card companies; and they need to be able to show it. However, many don’t realise that it is wise to ensure that their service providers have security agreements in place too, claim the IT firm Barron McCann.
According to the retail IT service company, any service provider that has access to a retailer’s devices, from maintenance and repairs to disposal, must ensure they have appropriate security procedures in place. The ISO 27001:2013 information security management standard is not common among the majority of suppliers, the firm adds.
After work on government projects, Barron McCann is one such supplier that has opted to have the ISO 27001:2005 certification, soon to be upgraded to :2013.
Graham Thornton, Information Security Manager at Barron McCann says: “Due to the nature of our work, this particular certification covers the provision of servicing, service replacement, technical support and decommissioning of IT equipment. This is in force throughout the entire company and provides our retail customers with the confidence that information security measures are in place. All our engineers have security procedures they need to comply with when they exchange devices as well as procedures to assess/monitor if it’s been tampered with. The fact that a supplier of services has the necessary information security accreditation in their own right goes a long way to satisfy any would be auditor that the retailer’s third party suppliers have the necessary credentials.”
About Barron McCann
Barron McCann clients include Wickes, Primark, TK Maxx, The Body Shop, CostCutter and Iceland. Barron McCann employs over 170 engineers who diagnose and fix retailers problems. Visit www.barronmccann.com.
Meanwhile the US-based PCI Security Standards Council (PCI SSC) announced the availability of PCI Essentials, new, interactive eLearning to train employees on basic security practices for protecting payment and other sensitive data.
Developed with US eLearning provider, Security Innovation, PCI Essentials addresses unsafe computing habits and behaviors to help businesses establish a culture of security.
Bob Russo, General Manager, PCI Security Standards Council, said: “In today’s high threat environment, employees at all levels within an organisation must play a role in thwarting data compromises. It’s critical that they are trained in what to look for and how to avoid putting their company at risk. This new eLearning offering demonstrates our ongoing commitment to promoting the best possible payment security awareness education for businesses of all sizes.”
PCI Essentials offers a series of ten interactive and engaging mini-courses each focusing on a critical area of information security needed for compliance with PCI DSS, from protecting cardholder data and password practices to avoiding ‘social engineering’; and physical security. Each module takes about 15 minutes.
