Are you ready for PCI compliance?
Davey Winder takes a closer look at the financial transaction security standard and what you need to do to get certified.
On the 30th September the Payment Card Industry Data Security Standard (PCI-DSS) will become mandatory for many UK organisations. Yet just three months ago a Tripwire survey by Redshift Research suggested that of the UK businesses that handle credit card transactions only 11 per cent had actually been fully audited and passed as PCI compliant.
According to credit card fraud screening company The 3rd Man, in 2010 so far the total cost of UK cardholder not present fraud is a staggering 151,059,712.60. And it's rising day by day.
It's obvious something needs to be done, and the credit card industry has determined that 'something' is compliance with strict standards relating to card payment security: the Payment Card Industry Data Security Standard or PCI-DSS for short.
"Put simply, PCI-DSS is a set of common sense standards aimed at ensuring that a payment security baseline is attained by all organisations with access to card data" Stanley Skoglund, senior vice president of Payment System Risk at Visa Europe told IT PRO, adding "to become PCI DSS compliant, organisations must satisfy twelve requirements which include recommendations on encrypting data, maintenance of secure IT systems and restricting physical access to card data".
But, as always, the devil is in the detail and within those 12 core requirements hide a total of 214 specific boxes that must be ticked during a PCI-DSS audit in order to achieve compliance certification.
As Vijay Samtani, who leads Deloittes PCI-DSS team, points out "businesses can only claim compliance when every requirement is addressed in full" but while business is taking compliance seriously many have only addressed the most important aspects of the standard and "have plans to achieve full compliance".
This lack of advancement in the process may not be down to unwillingness to comply, says Paul Williams who is Strategy Chair for ISACA, but rather a practical business perspective of balancing priorities with risk management principles. "The standard is quite onerous on organisations and requires a medium to high level of maturity of the organisation's security function processes and technology controls to be successful" Williams explains, adding "Many companies are not at this level of maturity".
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.