Survey says 89 per cent of firms not compliant with PCI-DSS

PCI-compliance survey shows smaller firms on road to PCI-compliance ruin

Deadline for PCI DSS compliance - September. Number of firms compliant - 11 per cent

A UK-specific survey of 100 retail, financial and hospitality firms has found that only 11 per cent are certified as compliant with new credit card standards to be brought in during June.

The new Payment Card Industry - Data Security Standard (PCI-DSS) will be made mandatory in September and will be the second iteration of the standard which was first released in December 2004.

The standard is supported by five companies: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa. The main aim of the standard is to reduce credit card fraud.

The survey, which looked at compliance and attitudes towards this standard, was carried out by business market research agency Redshift Research for IT management vendor Tripwire.

In addition to the 89 per cent of the firms surveyed who weren't compliant, the survey also finds that 35 per cent of respondents still don't fully understand PCI compliance requirements.

A further third of those polled said they don't know if they will be compliant by this September.

Redshift Research's managing director Guy Washer said: "We normally see a 25 per cent refusal [to respond] to surveys we conduct, but for this survey, the rate was 40 per cent – that's really high."

"It's possible that firms weren't talking to us because they weren't addressing the problem," added Washer.

The PCI-DSS industry standard recognises four levels of firm: Level four: merchants processing up to 20,000 transactions annually; Level three: firms processing between 20,000 and one million transactions; Level two: firms processing between one and six million transactions; and Level one: firms processing over six million transactions.

PCI-DSS compliance for level one merchants means having a yearly audit by a qualified security assessor (QSA), and having their networks scanned every three months for external vulnerabilities by a QSA (called penetration testing). Level two and three merchants must fill out an annual self-assessment questionnaire, and also have a quarterly penetration test.

Washer said all the level one merchants understand that they must be compliant, but the smaller firms have more difficulty understanding what needs to be done.

Tripwire chief executive Jim Johnson outlined the main reason for the introduction of the new standard: "In 2008, more [credit card] records were stolen than over the previous four years, and there's no reason to think that this statistic will go down."