In-depth

Are you ready for PCI compliance?

Davey Winder takes a closer look at the financial transaction security standard and what you need to do to get certified.

On the 30th September the Payment Card Industry Data Security Standard (PCI-DSS) will become mandatory for many UK organisations. Yet just three months ago a Tripwire survey by Redshift Research suggested that of the UK businesses that handle credit card transactions only 11 per cent had actually been fully audited and passed as PCI compliant.

According to credit card fraud screening company The 3rd Man, in 2010 so far the total cost of UK cardholder not present fraud is a staggering 151,059,712.60. And it's rising day by day.

It's obvious something needs to be done, and the credit card industry has determined that 'something' is compliance with strict standards relating to card payment security: the Payment Card Industry Data Security Standard or PCI-DSS for short.

"Put simply, PCI-DSS is a set of common sense standards aimed at ensuring that a payment security baseline is attained by all organisations with access to card data" Stanley Skoglund, senior vice president of Payment System Risk at Visa Europe told IT PRO, adding "to become PCI DSS compliant, organisations must satisfy twelve requirements which include recommendations on encrypting data, maintenance of secure IT systems and restricting physical access to card data".

But, as always, the devil is in the detail and within those 12 core requirements hide a total of 214 specific boxes that must be ticked during a PCI-DSS audit in order to achieve compliance certification.

As Vijay Samtani, who leads Deloittes PCI-DSS team, points out "businesses can only claim compliance when every requirement is addressed in full" but while business is taking compliance seriously many have only addressed the most important aspects of the standard and "have plans to achieve full compliance".

This lack of advancement in the process may not be down to unwillingness to comply, says Paul Williams who is Strategy Chair for ISACA, but rather a practical business perspective of balancing priorities with risk management principles. "The standard is quite onerous on organisations and requires a medium to high level of maturity of the organisation's security function processes and technology controls to be successful" Williams explains, adding "Many companies are not at this level of maturity".

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020