Payment security is lagging

Failure to comply with card data rules puts UK businesses at risk

New standards are designed to prevent credit card fraud

Just one in 10 UK merchants are compliant with payment card data security rules, leaving them open to security breaches and criminal attacks.

Only 11 per cent of retailers, financial services institutions and other businesses accepting card payments conform to the Payment Card Industry Data Security (PCI DSS) rules, according to a survey by secure transaction specialist The Logic Group.

The guidelines were developed by the PCI Security Standards Council, a global forum established by credit card firms ­to help prevent security breaches such as fraud and hacking.

The penalties of non-compliance are starting to be felt, said MasterCard vice president Paul Baker.

“Non-compliant merchants are realising the impact through the account data compromises or hacks that are now being seen,” he said.

“The damage to the brand and to customer confidence can be extreme. Our aim is to move all merchants to a compliant status as quickly as possible.”

More than four out of five relevant businesses have assessed the impact of meeting the PCI DSS requirements, says the survey. But six per cent of respondents have neither started working towards compliance, nor intend to.

Insiders say the standard needs to be more widely publicised. “Awareness is growing, but I am amazed at how many people do not know about the standard,” said one hospitality industry source.

“And many people think their software is secure but do not realise compliance means much more.”

One explanation for the slow progress is that attention has been focused elsewhere, said Gartner research director Alistair Newton.

“There has been a lack of priority in the retail community ­ merchants in the UK have been busy implementing the highly-visible chip-and-PIN so the back-end storage issues have slipped,” he said.

In May TJX, the parent company of high-street chain TK Maxx, admitted nearly 46 million credit and debit card records had been stolen over an 18-month period from July 2005. The breach cost the company nearly $130m (£64m).

“What happened to TK Maxx should drive retailers to compliance because it shows the reputational damage of a breach,” said Newton.