Are you ready for PCI compliance?

Davey Winder takes a closer look at the financial transaction security standard and what you need to do to get certified.

On the 30th September the Payment Card Industry Data Security Standard (PCI-DSS) will become mandatory for many UK organisations. Yet just three months ago a Tripwire survey by Redshift Research suggested that of the UK businesses that handle credit card transactions only 11 per cent had actually been fully audited and passed as PCI compliant.

According to credit card fraud screening company The 3rd Man, in 2010 so far the total cost of UK cardholder not present fraud is a staggering 151,059,712.60. And it's rising day by day.

It's obvious something needs to be done, and the credit card industry has determined that 'something' is compliance with strict standards relating to card payment security: the Payment Card Industry Data Security Standard or PCI-DSS for short.

"Put simply, PCI-DSS is a set of common sense standards aimed at ensuring that a payment security baseline is attained by all organisations with access to card data" Stanley Skoglund, senior vice president of Payment System Risk at Visa Europe told IT PRO, adding "to become PCI DSS compliant, organisations must satisfy twelve requirements which include recommendations on encrypting data, maintenance of secure IT systems and restricting physical access to card data".

Advertisement - Article continues below
Advertisement - Article continues below

But, as always, the devil is in the detail and within those 12 core requirements hide a total of 214 specific boxes that must be ticked during a PCI-DSS audit in order to achieve compliance certification.

As Vijay Samtani, who leads Deloittes PCI-DSS team, points out "businesses can only claim compliance when every requirement is addressed in full" but while business is taking compliance seriously many have only addressed the most important aspects of the standard and "have plans to achieve full compliance".

This lack of advancement in the process may not be down to unwillingness to comply, says Paul Williams who is Strategy Chair for ISACA, but rather a practical business perspective of balancing priorities with risk management principles. "The standard is quite onerous on organisations and requires a medium to high level of maturity of the organisation's security function processes and technology controls to be successful" Williams explains, adding "Many companies are not at this level of maturity".

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
cyber security

If not passwords then what?

8 Jan 2020
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020