As the UK faces its first real deadline for PCI compliance, a recent survey indicates that attitudes toward PCI compliance and misperceptions of actual compliance status may lead to compliance troubles for many UK organizations. Learn more about the survey results and how the right attitudes and technical controls can change that outlook.
PCI Compliance:
Are UK Businesses Ready?
WHITE PAPERExecutive Summary
The Payment Card Industry Data Security Standard (PCI KEY FINDINGSDSS), one of the most prescriptive data protection stan-dards ever developed, addresses the ever-increasing threats . Only 12% of United Kingdom (UK) organizations pro-to customer cardholder data by requiring security controls cessing credit and debit cardholder data are currently for the cardholder data environment. As a pass/fail regula- certified as being PCI compliant.tion, organizations must pass each and every one of the . While 58% of Level 1 merchants have been audited and 214 requirements to be certified as PCI compliant. In 2010, certified as compliant, that falls to 6%, 8% and 4% for almost three years after the United States market mandated Level 2, 3 and 4 organizations.that organizations comply with the (PCI DSS), the United . Over half (57%) of retail organizations admit to not Kingdom now faces its compliance deadline. fully understanding the requirements of the Payment Following an initial, significant reluctance to MasterCard, Card Industry Data Security Standard (PCI DSS).Visa and American Express dictating compliance, the US . Brand awareness and fear of reputation damage is a sig-market has recently experienced a rapid change of heart. nificant driver for achieving PCI compliance.The combination of high penalties and the threat of being unable to accept payments via each of these card brands . Over three quarters (77%) of organizations have had no certainly focused attention on PCI. But more importantly, difficulty in securing funding and resource to ensure those storing cardholder data have been rocked by the PCI DSS requirements are met.huge brand damage, loss of customers and financial costs . 88% of organizations have senior management on the incurred by organizations that have endured high profile PCI DSS team or working group-a figure that is 100% data breaches. for Level 1 organizations.But is this attitude reflected in the UK market today? According to research commissioned by Tripwire, only 11 invest time and resources in achieving compliance rather percent of UK organizations processing credit and debit than pay penalties for non-compliance or endure a data cardholder data are currently certified PCI compliant. Level breach that damages their reputation.1 merchants-those processing over six million transac- However, the study revealed a disturbing trend; many tions annually-embraced the regulation first, with over Level 3 and Level 4 merchants, (those most likely to be half (58 percent) audited and certified compliant. For those early in their PCI compliance efforts) perceive that their merchants processing under six million transactions, the existing security procedures exceed the level of security percentage of certified organizations falls to a surprising low required by PCI. In contrast, none of the Level 1 and 2 of 4 percent to 8 percent. merchants surveyed-those more likely to be further along The study revealed a particularly interesting finding: that the compliance route-hold this opinion. Rather, these senior management in organizations studied have a resound- more experienced merchants feel the PCI DSS requirements ing commitment to PCI compliance. In fact, organizations are actually only on par now with their current security easily raise funds for compliance projects. This second find- procedures. ing is extraordinary given recent restrictions in IT spending. This raises a worrying concern that organizations not yet Furthermore, senior management is represented on the PCI certified may have a tendency to underplay the PCI require-compliance team in the majority of organizations. ments and risk complacency. Unfortunately, as the PCI This top-level commitment reflects a key conclusion of the compliance deadline approaches in which these organiza-research: brand awareness and fear of reputation damage tions must experience a full PCI audit, they may realize too significantly drive PCI compliance activities in most organi- late that they face a steep climb to achieving PCI compli-zations. It makes sense then, that organizations prefer to ance and ensuring cardholder data protection.
2 | WHITE PAPER | PCI Compliance: Are UK Businesses Ready?Introduction
Effective September 30, 2010, the Payment Card Industry Brand ValueData Security Standard (PCI DSS) will apply to or... [download for more]
