Online retailers must implement PCI-DSS – or an equivalent security standard – or face “enforcement action” by the Information Commissioner’s Office (ICO), the data privacy watchdog has warned.

Following an investigation into the cosmetics retailer Lush, which suffered a long-term security breach that put payment card details of around 5,000 customers at risk, the ICO has received a written commitment from the company that it will implement PCI-DSS. Some observers expressed surprise that the company escaped without a fine.

However, in a statement the ICO said the “breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times”.

“The ICO is taking this opportunity to warn online retailers that if they do not adopt this standard, or provide equivalent protection when processing customers’ credit card details, they risk enforcement action from the ICO,” it said.

The undertaking from Lush sheds some light on why its network was able to remain breached for four months before the company noticed anything amiss. “The systems in use at the time also failed to fully log system activity, rendering the precise nature of the attack difficult to assess,” it says.

As part of its undertaking Lush will ensure that activity logs are “retained for an appropriate period of time and frequently interrogated for evidence of malicious attack.