Nearly half of UK IT directors said their company could not adequately control access to their point-of-sale systems, leaving sensitive data vulnerable to theft, a study revealed.
Further, only 20 percent of the 167 IT leads in large businesses said that they could say their systems containing credit card and personal details had not been targeted by cyber-attacks.
Vulnerabilities may be due to merchant’s confusion over the Security Standards Council (SSC) changes to the payment card industry’s (PCI) standards earlier this year, suggested Christopher Strand, senior director of compliance for security company Bit9 and Carbon Black.
He said: “These results highlight a major lack of confidence and knowledge around PCI 3.0 with an urgent need for organisations to improve protection of endpoint systems and the credit card data they house, against cyber threats”
The new standard, version 3.0, includes changes to pen-testing methods to an industry standard. Companies also need to maintain an inventory of system components (hardware and software) that are in scope for PCI DSS and documents to show what PCI DSS requirements are managed by vendors and which are managed internally.
Despite the concerns for security, the study found that only 10 percent of IT budgets were spent on meeting these new requirements.
Strand added: "Security coverage and compliance validation are converging into the same goal. Protecting critical data from advanced threats and ensuring that solutions are in place that prove security controls are in line with compliance objectives. With these two perspectives, 10 percent doesn't seem so high."
The majority of IT leads (74 percent) said their company was still relying on systems running on Windows XP and only 29 percent were planning to deploy a new operating system in the near future.
The UK government is currently encouraging banks to adopt CBEST framework for pen-testing to secure for "real world attacks".
The UK study by Vanson Bourne looked at 250 businesses, over half of which have over 3,000 employees. 167 respondents used POS systems and 35 were retailers.