Businesses failing to comply with credit card security rules

Complexity is causing delays in PCI DSS compliance despite being compulsory for two years, says study

Businesses with an online presence will need to comply with PCI DSS rules

Some 88 per cent of UK businesses are still not compliant with the Payment Card Industry Data Security Standard (PCI DSS), even though compliance became compulsory two years ago, according to research.

The study carried out by supplier NetIQ also revealed that the majority of those polled have no fixed deadlines for meeting the standard and 54 per cent are unable to forecast when they will be fully compliant.

Only 12 per cent of respondents are already compliant while 17 per cent predicted that they would be within six to 12 months.

The reasons given for the delay in following the data security requirements include complexities in the process, such as setting up measures to protect web applications.

The PCI DSS standard was introduced in January 2005 to help organisations enforce data security management, policies, procedures, network architecture, software design and other critical protective measures.

The rules affect any company transmitting, processing or storing credit card information. Compliance is graded, with merchants divided into four different levels based on the number of transactions they process throughout the year.

The British Red Cross (BRC) is one of the organisations struggling with the compliance process, and in an interview with Computing earlier this year, blamed banks for not providing sufficient information to help compliance.

“Even though we have to meet a deadline, the communication from the merchant banks in relation to what is wanted is very poor,” said BRC's head of IT Miguel Fiallos.