UK Firms falling down on cardholder data security

Stephen Whitlam — Fri, 05 Mar 2010 16:53:08 +0000

Customer “plastic card” data security is still lax for many UK retailers. Staggeringly the vast majority have still to be certified as PCI DSS* compliant. Even more worryingly, a third appear unsure if they will meet the planned 30th September deadline. These latter are in real danger of at best paying avoidable penalties of up to 0.85% of their card sales turnover and – at worst – finding that they cannot accept cards at all!

A survey of 100 retail, financial services and hospitality businesses was conducted by Redshift Research and – in detail – shows that only 11% of companies are currently audited and certified as compliant.

In addition, 35% of respondents still do not fully understand PCI compliance requirements, and nearly a third do not know if they will be compliant by the September 2010 deadline.

The research survey reveals that 32% of companies are currently responding to weaknesses that were identified in their PCI DSS pre-audit, 27% will put off becoming compliant for as long as possible, 14% have completed a pre-audit but not undertaken any further action and 14% are not compliant and are not in the process of becoming so.

In addition, 39% of respondents believe that credit card security should be the problem of the credit card companies. Meanwhile, only a quarter have a dedicated PCI DSS Project Manager with 78% saying that issue falls within the remit of IT security.

Smaller businesses are lagging behind larger companies in terms of PCI readiness, with all Level 1 merchants saying they understand the issue, compared to just 44% of Level 4 firms.

Comparing the results by industry sector, 57% of retailers admit that they still do not fully understand PCI requirements, compared to 27% of finance companies and 27% of leisure firms.

A fifth of finance companies say they will not be compliant by the September 2010 deadline, and a further 20% do not know if they will meet it.

Guy Washer, MD, Redshift Research, says: “The results suggest that many companies could actually be taking a ‘blind faith’ approach to PCI compliance. Despite the fact that most companies remain confident of meeting the PCI deadline, only a small minority are currently audited and certified as compliant, and there is still confusion over PCI standards.”

Stephen Whitlam of Expense Reduction Analysts says that the survey “reveals there is still a big education issue out there. The broader card industry has not helped by extending deadlines and by a piecemeal approach to communication. However – at the core – is protection of customer data which if misused can result in broader identity fraud. We are talking here of data captured by the retailer, and how that data is handled and stored by the retailer. The card industry is trying to impose responsible common-sense standards and I do not think we are too long off seeing a high profile retailer being denied access to accepting cards completely. And in our experience – in the interim – the penalty charges we see so many new clients paying are completely avoidable and cover the costs of compliance many times over.”

Stephen went on to say “there have already been some high profile cases like TK Maxx and whilst I understand the responders who feel data security is a card industry responsibility, the answer to them is: yes it is, and the industry response is to ensure that all players take responsibility for their part or exclude them from access”.

*PCI DSS stands for Payment Card Industry Data Security Standards. It is the card industry’s response to the need to make sure that all data that can identify a cardholder, or simply an account, is subject to minimum standards of care by all those who hold or access it.

Expense Reduction Analysts » PCI-DSS

UK Firms falling down on cardholder data security