Online merchants will find meeting the Payment Card Industry Data Security Standard (PCIDSS) neither intrusive nor expensive if the quarterly penetration tests are mandated in Australia.
Last week, Computerworld reported that mandates for Visa Level Four merchants in the US say they must submit to quarterly network vulnerability scans, as well as filling out a 75-question, self-assessment form annually.
The practice has yet to be mandated in Australia and Visa-approved penetration testers contacted by Computerworld said that only detailed Web Application and penetration testing will provide a greater level of assurance - a requirement within the overall standard, but one not formally assessed at the "lower end".
Robert Goldberg, KPMG risk advisory partner, said Visa has already worked out a relationship with various service providers to provide basic scanning tools to minimize both cost and impact; small credit card merchants should not find compliance, if mandated in Australia, either intrusive or expensive.
"The reason it [compliance] gets a negative reaction from merchants is [because] when they implement applications and set up their network none of these requirements were built-in, so the merchants end up bolting on security they never even considered to begin with," Goldberg said.
"Time to market for usability and the time to market online is key and diametrically opposed to security, but in my view compliance should be a business enabler done in a safe manner.
"The primary driver for the PCIDSS in 2001 were the data breaches which caused banks to issue new cards; merchants were negatively damaged with fraud and financial losses stemming back to the issuing bank. Visa said there needs to be a level of security to prevent this from happening, to increase trust online, but also to minimize costs associated with breaches by limiting the number of times they occur."
Goldberg added some organizations may complain about compliance, but none of the measures are "over the top".