The Payment Card Industry Data Security Standard (PCI DSS) will apply to organisations in the UK from September 30th 2010. However, recent research undertaken in the UK reveals that with just months to go before the compliance validation deadline, only 11 percent of UK organisations that handle credit card data currently have been audited and certified PCI compliant.
There is senior management commitment to PCI, and funds available. But a lack of understanding is compromising compliance activity and engendering a tick box approach that will not meet management objectives of protecting the corporate reputation. It is the right attitude, underpinned by appropriate technology and processes, that will create a more secure organisation and protect cardholder data: with greater security and data protection, organisations can ensure both brand and reputation are protected.
The Payment Card Industry Data Security Standard (PCI DSS) is one of the most prescriptive data protection standards ever developed. It addresses the ever-increasing threats to customer cardholder data by requiring security controls for the cardholder data environment. As a pass/fail regulation, organisations must pass each and every one of the 214 requirements to be certified as PCI compliant.
In 2010, almost three years after the United States (US) market mandated that organisations comply with the PCI DSS, the United Kingdom (UK) now faces its compliance deadline. But just how many of the lessons learnt in the US are being applied by UK organisations? After three years of increasingly stringent compliance activity, best practice has now become clear and organisations have a chance to leverage global expertise and experience to streamline the compliance process.
Yet only 11% of organisations processing credit and debit cardholder information are actually audited and compliant, and the vast majority of these companies are the large organisations, many of which are global businesses that have already addressed PCI DSS in the US.
Over half (58 percent) of Level 1 merchants – those processing over six million transactions annually – are audited and certified compliant. In contrast, for those merchants processing under six million transactions, the percentage of certified organisations falls to a surprising low of 4 percent to 8 percent.
Yet organisations are committed to compliance. Over three quarters (77%) of organisations have had no difficulty in securing funding and resource to ensure PCI DSS requirements are met. And 88% have senior management on the PCI DSS team or working group.
This top-level commitment reflects a key conclusion of the research: brand awareness and fear of reputation damage significantly drive PCI compliance activities in most organisations. And this is a clear reflection of the US experience where, following an initial, significant resistance to MasterCard, Visa and American Express dictating compliance, companies have had a rapid change of heart.
The combination of high penalties and the threat of being unable to accept payments via each of these card brands certainly focused attention on PCI. But more importantly, those storing cardholder data have been rocked by the huge brand damage, loss of customers and financial costs incurred by organisations that have endured high profile data breaches.
It is no surprise, therefore that these UK organisations would overwhelmingly prefer to invest time and resources in achieving compliance rather than pay penalties for non-compliance or endure a data breach that damages their reputation.
However, despite this commitment, over one quarter of organisations surveyed either will not be compliant or are unsure if they will be compliant by the 2010 deadlines. And these organisations appear far from confident about their understanding of the requirements of PCI; 35 percent are not confident, with an astonishing 57 percent of retailers lacking confidence in their understanding.
This lack of understanding is underpinned by the perception amongst many Level 3 and Level 4 merchants that their existing security procedures exceed the level of security required by PCI. In contrast, none of the Level 1 and 2 merchants surveyed – those likely to be further along the compliance route – hold this opinion. Rather, these more experienced merchants feel the PCI DSS requirements are actually only on par now with their current security procedures.
This lack of understanding of the PCI requirements raises a real concern that these organisations will fail to address each aspect of the PCI standard, thereby increasing the danger of data compromise. They may also underplay the PCI requirements and risk complacency; fail to implement the requirements until or unless required; implement them incorrectly; and not ensure the requirements are adhered to continuously. Failure in each or all of these areas will result in a heightened risk of data compromise, potentially leading to loss of customer data, fines from the card brands for non-compliance with PCI, customer law suits, and of course, brand damage.
Unfortunately, as the PCI compliance deadline approaches in which these organisations must experience a full PCI audit, they may realise too late that they face a steep climb to achieving PCI compliance and ensuring cardholder data protection.
At a time when IT budgets are under tight scrutiny, senior managers are more willing than ever to release funds for PCI compliance. Because of the experiences of organisations in the US related to PCI and data security, these organisations now understand that good data security and PCI compliance are key to protecting the organisation’s reputation. Compliance deters would-be attackers and presents an opportunity for organisations to reinforce public and customer confidence in their brand. Simply enough, in this market no organisation can risk the massively damaging effects of a publicised breach of cardholder data.
But given the budgets and resources available, are these organisations prepared for the pending deadline? As the deadline approaches the only option for many will be to take the unfortunate “checklist approach” to PCI compliance, rather than relying on ongoing good security practices to protect cardholder data.
Adding to these concerns, smaller organisations have clearly underestimated the serious implications of PCI. While most organisations hear loud and clear that continuous compliance activity is essential, the majority of these organisations are not implementing the processes or tools required to achieve that objective.
For UK merchants the objective should not be to just pass a PCI audit. Achieving continuous PCI compliance should be viewed as just one way of demonstrating that good security practices are in place. If compliance itself is the driving factor, organisations will struggle to achieve the goal. Instead, if organisations focus on putting in place security best practices, they often achieve continuous PCI compliance as a natural by-product and benefit.