PCI DSS compliance projects hurt by 'blind faith' attitude of UK companies
Businesses are unconvinced of the benefits of a looming security standard for credit card payments.
The Payment Card Industry Data Security Standard (PCI DSS) aims to cut credit card fraud by ensuring that companies which take card payments - such as retailers - have adequate security policies in place.
It's backed by the payment card companies including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa and the standard is already in place in the US.
By 30 September this year the first tier of merchants in the UK (those who process more than six million transactions annually, known as Level one) will have to be PCI DSS compliant. If they aren't, they risk fines and higher transaction costs from their payment card company.
But according to a survey of 100 retail, financial and leisure businesses, 27 per cent of respondents feel PCI DSS is unnecessary and the same number plan to put off compliance for as long as possible, while nearly one in three are unconvinced that PCI DSS will improve IT security.
Despite these grumbles, all of the Level one merchants surveyed said they would be compliant by the September deadline - although this dropped to just over half of Level 3 and Level 4 merchants, who process up to one million and 20,000 transactions respectively.
Only 11 per cent of companies are currently PCI DSS compliant, according to the survey commissioned by IT security company Tripwire.
Not all businesses are convinced of the benefits of PCI DSS
(Photo credit: Shutterstock)
The survey also found half said they had undertaken a PCI DSS pre-audit and 40 per cent were fixing weaknesses that had been identified by that audit.
Nearly half of the companies surveyed said PCI compliance will aid their brand reputation, help to justify investment in existing security infrastructure, and improve attention to information, security and protect data privacy.
There was some good news - three-quarters of respondents had no problem securing funding for their PCI DSS projects, suggesting the importance of compliance is now widely understood at board-level within businesses. The vast majority of organisations have IT and senior management involved with their PCI DSS projects, while a third have involved sales and a quarter involve HR.
Guy Washer, managing director of Redshift Research which conducted the survey, said the results suggest that many companies could actually be taking a "blind faith" approach to PCI compliance. He said that while most companies remain confident of meeting the PCI deadline, only a small minority are currently audited and certified as compliant, and there is still confusion over PCI standards - and warned there is also a huge divergence between large and small companies in terms of PCI readiness.
The 12 key requirements of PCI DSS are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update antivirus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security