Up to 90% of UK companies may not comply with PCI security standards

New research suggests that 89 percent of UK companies are not compliant with the Payment Card Industry Data Security Standards.


New research shows that 89 percent of UK companies are not compliant with the Payment Card Industry Data Security Standards.

The independent research, commissioned by security solutions provider Tripwire and carried out by Redshift Research, surveyed 100 businesses in the retail, financial services and hospitality sector.

Companies in the UK are required to reach full compliance, by taking measures to protect customer card details, by the deadline of 30 September 2010.

However, the research found that 35 percent still do not fully understand PCI compliance requirements and nearly a third do not know if they will be compliant by the deadline.

Nonetheless, 77 percent of respondents have not had any problems securing funding and resources to make sure that their organisations meet the requirements, which Tripwire said suggests that the importance of PCI compliance is widely understood at board level.

This understanding has been enhanced as senior management realise the importance of protecting their company brand by not falling foul of data loss scenarios, like UPS, which lost its payroll data.

For 78 percent of the respondents, PCI compliance falls within the remit of IT security within their organisation, while 26 percent have a dedicated PCI DSS project manager.

The companies surveyed were defined as large or small by the volume of annual card transactions they process, with level four merchants processing less than 20,000 and level one processing over six million transactions a year.

The research found that smaller businesses lagged behind larger organisations in their preparedness for PCI. A total 58 percent of level one merchants have been certified as compliant, compared to 4 percent, eight percent and six percent for level two, three and four businesses.

Fifty-six percent percent of level four merchants and 36 percent of level three merchants admitted to not fully understanding PCI requirements. This contrasts with 14 percent of level two merchants, and none of the level one merchants.

Furthermore, seven percent of level four merchants and 21 percent of level three merchants said they would not be compliant by September.

Retailers (57 percent) were the worst culprits for not fully understanding PCI requirements, compared to 27 percent of finance companies and 27 percent of leisure companies. However, a fifth of finance companies said they would not be fully compliant by the deadline, and another fifth did not know if they would meet the deadline. Just nine percent of leisure companies were unsure about hitting the deadline.

Guy Washer, managing director of Redshift Research, said: "The results suggest that many companies could actually be taking a ‘blind faith’ approach to PCI compliance. Only a small minority [of companies] are currently audited and certified as compliant.

"Organisations are still not necessarily putting in place the processes or tools required to achieve that objective."

Rob Warmack, senior director of international marketing for Tripwire, added that organisations needed to continuously monitor and report their systems to help them stay compliant.

"One-off PCI DSS certification is not enough. Simple system changes after an audit not only jeopardise PCI compliance but also create potentially significant security vulnerabilities," he said.

"Recommended For You"

Security practitioners unconvinced about PCI-DSS Visa warns merchants who don't meet PCI deadline