Feeds

Merchants call credit card industry's bluff on compliance

PCI DSS off the agenda

Internet Security Threat Report 2014

Nine in ten (88 per cent) European firms have failed to achieve compliance with a credit card industry standard for processing ecommerce transactions.

European merchants are behind their US counterparts in getting up to speed with the Payment Card Industry's Data Security Standard (PCI DSS), according to a survey by management tools firm NetIQ. The findings of the survey come less than two weeks before a 30 June deadline for compliance with a significant revision in the standard that adds web application security requirements.

PCI DSS was introduced by the major credit card companies as a means of encouraging merchants to engage in best practice security. The 12 point guidelines cover a basic set of requirements such as the need to keep systems up to date with patches and to encrypt cardholder data, for example.

A poll of 65 merchants across Europe by NetIQ revealed that two years after the standard was introduced the majority of firms are still way off being compliant. Worse, the majority (54 per cent) have no timetable for getting up to speed. Only 17 per cent of respondents reckoned that they would be compliant within six to twelve months.

By comparison, 23 per cent of respondents to a similar survey of 300 US organisation said they were already PCI DSS compliant. However more than two in five (44 per cent) of those quizzed had no idea when they would achieve compliance.

At first sight attaining PCI DSS compliance may seem easy enough but the path to getting a sign-off on the standard can be tricky in practice. Half of those working towards obtaining the PCI DSS seal of approval have been doing so for more than six months. Although failure to achieve compliance with the standard allows credit card firms to levy penalties, many organisations are postponing compliance out of a belief that it's a stick card issuers are reluctant to wield.

Seven out of 10 of those quizzed by NetIQ reckoned that the penalties for non-compliance would only occasionally be levied, while 23 per cent said that fines would "almost never" be issued. Many of the merchants are more worried about dishonest workers than external hackers or business partners.

Compliance with the PCI DSS standard involves self assessment in the case of smaller ecommerce firms, ranging up to annual audits for the largest firms. Achieving the PCI DSS standard can lead to lower merchant fees but doesn't necessarily mean every organisation that goes through the process is secure.

For example, US grocery chain Hannaford warned in March that an information security breach (later blamed on malware) had exposed an estimated 4.2 million credit card records. Hannaford had achieved PCI DSS compliance prior to the breach but the approval process failed to uncover the flaws that led to the breach. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.