Card standards ignored

The PCI Data Security Standard 1.1 came into effect in September, but are firms complying?

Many organisations are ignoring new Payment Card Industry (PCI) standards on secure data storage, and could be exposing themselves to the risk of data breaches and regulatory non-compliance as a result, industry experts warned last week.

The PCI Data Security Standard 1.1 came into effect in September. It lists six sets of control objectives, which any organisation that stores, processes or transmits customer card details must achieve.

But Malcolm Skinner, international marketing director of web security specialist Bee Ware, argued that most firms are either unaware of the new rules or are merely paying lip service to them. He cited a recent Bee Ware research, which revealed that less than 10 percent of local councils knew what PCI 1.1 compliance entailed.

“PCI 1.1 includes practical measures you can take [to comply] and it’s flexible in terms of what measures you should have in place,” Skinner said. “But less than five percent of the private sector is complying.”

Amer Deeba of vulnerability management firm Qualys said that credit card companies were taking steps to ensure organisations knew about the standard, but banks should do more to track and enforce compliance.

Non-compliance can have grave consequences. “If the retailer gets hacked because it has not followed the standard and data has been exposed, it will be fined by the card companies and there could be litigation from its customers,” Deeba said.