Firms slow to apply card standards

Forty per cent of companies admit they have no plans to achieve the Payment Card Industry (PCI) Data Security Standard, according to research published today (Thursday).

Figures from security firm CyberSource show only 36 per cent of organisations have started the compliance process.

The PCI standard provides a framework for customer data security processes, including preventing, detecting and reacting to security breaches.

The PCI Data Security Standard lists 12 security requirements that any merchant processing customer card details must achieve.

Only companies turning over more than six million transactions a year require an external audit. The remainder are required to self-audit.

Eventually all merchants will have to comply but for now the focus is on the larger firms, says Gartner analyst Avivah Litan.

She says acquiring banks that enforce the standards will probably start fining merchants that fail to become compliant

‘This standard is not going to go away. Banks want to be paid back for all the fraud losses they are experiencing and they will do this by fining merchants,’ she said.

Chris Gaines, senior manager at Deloitte and Touche, says companies should achieve compliance even if they do not need an external audit.

‘In the event of a breach an independent forensics investigation will take place and that is when non-compliance will become an issue,’ said Gaines.

‘Companies are seeing this as less of a compliance issue and more of a brand value protection exercise, which is the right thing to do,’ he said.

What do you think? Email feedback@computing.co.uk

Further reading:

Card standards ignored