ITPRO

Printed from www.itpro.co.uk

Register to receive our regular email newsletter at http://www.itpro.co.uk/reg/register.

The newsletter contains links to our latest IT news, product reviews, features and how-to guides, plus special offers and competitions.

Skip to navigation

    Are you ready for PCI compliance?

Davey Winder takes a closer look at the financial transaction security standard and what you need to do to get certified.

By Davey Winder, 1 Sep 2010 at 14:15

card security
card security gallery

On the 30th September the Payment Card Industry Data Security Standard (PCI-DSS) will become mandatory for many UK organisations. Yet just three months ago a Tripwire survey by Redshift Research suggested that of the UK businesses that handle credit card transactions only 11 per cent had actually been fully audited and passed as PCI compliant.

According to credit card fraud screening company The 3rd Man, in 2010 so far the total cost of UK cardholder not present fraud is a staggering £151,059,712.60. And it's rising day by day.

It's obvious something needs to be done, and the credit card industry has determined that 'something' is compliance with strict standards relating to card payment security: the Payment Card Industry Data Security Standard or PCI-DSS for short.

"Put simply, PCI-DSS is a set of common sense standards aimed at ensuring that a payment security baseline is attained by all organisations with access to card data" Stanley Skoglund, senior vice president of Payment System Risk at Visa Europe told IT PRO, adding "to become PCI DSS compliant, organisations must satisfy twelve requirements which include recommendations on encrypting data, maintenance of secure IT systems and restricting physical access to card data".

But, as always, the devil is in the detail and within those 12 core requirements hide a total of 214 specific boxes that must be ticked during a PCI-DSS audit in order to achieve compliance certification.

As Vijay Samtani, who leads Deloitteís PCI-DSS team, points out "businesses can only claim compliance when every requirement is addressed in full" but while business is taking compliance seriously many have only addressed the most important aspects of the standard and "have plans to achieve full compliance".

This lack of advancement in the process may not be down to unwillingness to comply, says Paul Williams who is Strategy Chair for ISACA, but rather a practical business perspective of balancing priorities with risk management principles. "The standard is quite onerous on organisations and requires a medium to high level of maturity of the organisation's security function processes and technology controls to be successful" Williams explains, adding "Many companies are not at this level of maturity".

Previous
1 2 3 4
Next

Email to a friend

Print this page

< Previous   Security : Analysis & Insight Next >

Be the first to comment on this article

You need to Login or Register to comment.

    You may also like...

 Sponsored Links

advertisement

    You may also like...

    Latest Security News

Cloud computing

Huddle: Amazon, Google clouds not Government ready

Huddle claims big public cloud vendors don't offer enough security to be used by central Government.

Read more

 

More Security News

    Latest Security Tutorials

PC on a drip (virus protection)

How to protect a group of office PCs from viruses

Safeguarding multiple office computers from malware doesn't have to be difficult or expensive, as Simon Edwards shows in our step-by-step guide.

Read more

 

More Security Tutorials

advertisement

    Most popular

    Latest Analysis & Insight Videos in Security

Cloud Security

Why security should top the cloud agenda

Play Why security should top the cloud agenda   Play

Security should always be paramount in business, but with a cloud based infrastructure it’s arguably even more important. Steve Cassidy and...

 
Sponsored Links
Advertisement