Merchants seemingly on a mission to fail compliance tests as a quarter admit that they do not know if they will meet the September deadline
A third of merchants do not understand the requirements of PCI DSS (Payment Card Industry Data Security Standard) compliance and only 11 per cent are certified as compliant.
A survey conducted by Redshift Research on behalf of Tripwire found that a third of respondents do not know if they will be PCI compliant by the September 2010 deadline, while 18 per cent said that they did not know if they would be compliant by the 2010 deadlines that have been set by Visa and MasterCard.
Despite the majority of respondents saying they were confident about achieving PCI compliance, the research survey found that 32 per cent are currently responding to weaknesses that were identified in their PCI DSS pre-audit; 27 per cent of companies will put off becoming PCI compliant for as long as possible; 14 per cent have completed a PCI DSS pre-audit but not undertaken any further action; and 14 per cent are not compliant and are not in the process of becoming so.
In addition, 39 per cent of respondents believe that credit card security should be the problem of the credit card companies.
Jim Johnson, CEO and president of Tripwire, said that as this was an industry standard, and not a regulatory standard, it is the industry that is pushing it forward and it was not being driven by government.
Johnson said: “In 2008 there were more records stolen than in the previous four years combined. What is the state of PCI? How many vendors are implementing it?”
Rob Warmack, senior director of international marketing for Tripwire, said: “As the evolution towards a cashless society continues to gain pace, every organisation from insurance companies to financial services, hospitality to retail is becoming reliant upon credit and debit cards.
“The research demonstrates that there is now a growing awareness of the importance of PCI DSS standards, however with only a small minority of companies currently certified as compliant many organisations are facing an uphill battle to meet the September 2010 deadline.”
Guy Washer, managing director of Redshift Research, said that 40 per cent of survey requests were refused as he believed that a lot of them were not talking as they were not addressing the issues.
He said: “People have got five to six months to understand and implement the rules. There is an element of blind faith, and they are convinced that they will be compliant but it is not looking like they will be. Smaller companies will struggle but make up the volume, tier two companies will have a process and for levels three and four it will be a heck of a resource.”
Johnson said: “We are looking not just at PCI compliance as general compliance for best practise. Compliance is a means to an end, and we know we cannot prevent all breaches but we are trying to reduce the number as aggressively as we can.”
Warmack concluded: “Furthermore, whilst the importance of continuous compliance now seems to be hitting home, organisations are still not necessarily putting in place the processes or tools required to achieve that objective.”