Survey says 89% of firms not compliant with PCI DSS

March 2010

A UK-specific survey of 100 retail, financial and hospitality firms has found that only 11% are certified as compliant with new credit card standards to be brought in during June.

The new Payment Card Industry - Data Security Standard (PCI DSS) will be made mandatory in September and will be the second iteration of the standard which was first released in December 2004.

The standard is supported by five companies: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa. The main aim of the standard is to reduce credit card fraud.

The survey, which looked at compliance and attitudes towards this standard, was carried out by business market research agency Redshift Research for IT management vendor Tripwire.

In addition to the 89% of the firms surveyed who weren't compliant, the survey also finds that 35% of respondents still don't fully understand PCI compliance requirements.

A further third of those polled said they don't know if they will be compliant by this September.

The PCI DSS industry standard recognises four levels of firm: Level four: merchants processing up to 20,000 transactions annually; Level three: firms processing between 20,000 and one million transactions; Level two: firms processing between one and six million transactions; and Level one: firms processing over six million transactions.

PCI-DSS compliance for level one merchants means having a yearly audit by a qualified security assessor (QSA), having their networks scanned every three months for external vulnerabilities by an approvied scanning vendor (ASV), and annual penetration testing. Level two and three merchants must fill out an annual self-assessment questionnaire, and also have a quarterly penetration test.

Washer said all the level one merchants understand that they must be compliant, but the smaller firms have more difficulty understanding what needs to be done.

Tripwire chief executive Jim Johnson outlined the main reason for the introduction of the new standard: "In 2008, more [credit card] records were stolen than over the previous four years, and there's no reason to think that this statistic will go down."

Source...

 

With Dionach you get:

• An efficient, friendly and flexible service
• To talk directly to the experts
• Straightforward assessment reports that get to the point
• Complete confidentiality and utmost discretion