In-depth

Are you ready for PCI compliance?

Davey Winder takes a closer look at the financial transaction security standard and what you need to do to get certified.

On the 30th September the Payment Card Industry Data Security Standard (PCI-DSS) will become mandatory for many UK organisations. Yet just three months ago a Tripwire survey by Redshift Research suggested that of the UK businesses that handle credit card transactions only 11 per cent had actually been fully audited and passed as PCI compliant.

According to credit card fraud screening company The 3rd Man, in 2010 so far the total cost of UK cardholder not present fraud is a staggering 151,059,712.60. And it's rising day by day.

It's obvious something needs to be done, and the credit card industry has determined that 'something' is compliance with strict standards relating to card payment security: the Payment Card Industry Data Security Standard or PCI-DSS for short.

"Put simply, PCI-DSS is a set of common sense standards aimed at ensuring that a payment security baseline is attained by all organisations with access to card data" Stanley Skoglund, senior vice president of Payment System Risk at Visa Europe told IT PRO, adding "to become PCI DSS compliant, organisations must satisfy twelve requirements which include recommendations on encrypting data, maintenance of secure IT systems and restricting physical access to card data".

But, as always, the devil is in the detail and within those 12 core requirements hide a total of 214 specific boxes that must be ticked during a PCI-DSS audit in order to achieve compliance certification.

As Vijay Samtani, who leads Deloittes PCI-DSS team, points out "businesses can only claim compliance when every requirement is addressed in full" but while business is taking compliance seriously many have only addressed the most important aspects of the standard and "have plans to achieve full compliance".

This lack of advancement in the process may not be down to unwillingness to comply, says Paul Williams who is Strategy Chair for ISACA, but rather a practical business perspective of balancing priorities with risk management principles. "The standard is quite onerous on organisations and requires a medium to high level of maturity of the organisation's security function processes and technology controls to be successful" Williams explains, adding "Many companies are not at this level of maturity".

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Data breach exposes widespread fake reviews on Amazon
data breaches

Data breach exposes widespread fake reviews on Amazon

7 May 2021
TsuNAME vulnerability could enable DDoS attacks on major DNS servers
distributed denial of service (DDOS)

TsuNAME vulnerability could enable DDoS attacks on major DNS servers

7 May 2021
What are SSH keys?
cyber security

What are SSH keys?

7 May 2021
Google’s about to push everyone into two-factor authentication
Security

Google’s about to push everyone into two-factor authentication

6 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021