Almost a third of UK retailers are completely unaware or only partially aware of the new version of the Payment Card Industry Data Security Standard (PCI DSS).
Research by LogLogic found that 13.8 per cent of respondents were completely unaware of the version two, while 15.5 per cent said that they were only partially aware of it.
Also, when respondents were asked if they knew that PCI DSS 2.0 contains significant changes and clarifications relative to the expected network architecture and virtualisation, only 36.2 per cent said that they were aware of this.
Also, when asked how auditing by the payment card issuers has changed in the past twelve months, the survey revealed that 62 per cent said that audits were becoming more, or much more prevalent.
In a year that saw the release of version two of the PCI DSS standard, Guy Churchward, CEO at LogLogic, said that the findings showed that in terms of attitudes and implementation, there is still a lot more to do.
“It is not just a case of ‘achieving compliance', it is a matter of completing the audits and staying on top of the requirements. It is a long term commitment to the business and to protecting customer data. The research clearly shows that retailers need to get up to speed with the new version pretty quickly, if they are to meet the increasingly regular audit requirements,” he said.
On a positive side, 50 per cent of respondents saw the PCI DSS guidelines as a valuable addition that helps them keep up-to-date, while 17.2 per cent said they used it as a way to justify spending on technologies which are useful outside of PCI mandates.
Shlomo Kramer, CEO of Imperva, asked of the 70.7 per cent who were aware of the new changes, how many saw it as a burden and how many saw it as an opportunity? "That is the interesting statistic, how many retailers view PCI as an opportunity to improve their security posture, which is usually the ones who do PCI right," he said.
"Over the years seeing more organistions take it seriously and for all of its faults, it is a very positive mandate. it is detailed, it is practical and you understand what you need to do. It is not compliance, it is a security standard and it is the new type of security."