Time to plug the PCI compliance gap

Paying a high price: Criminals have switched their focus to smaller merchants because tier-one players have tightened up security

Payment Card Industry Data Security Standard (PCI DSS) promises to be a big channel money spinner in the coming months as more retailers - and any other organisations taking credit card payments over the web - move to get their houses in order.

While large-scale merchants must be fully compliant with the standard by 30 September, recent research reveals most UK companies are not yet up to speed.

From 1 July, Visa also tightened up its security rules for smaller merchants accepting card payments.

Ian Kilpatrick, chairman of security distributor Wick Hill, said the repeated postponement of PCI DSS deadlines had lulled UK firms into a false sense of security.

“PCI compliance has been a slow burner,” he said. “The deadline kept moving back so everyone got into the mindset that they didn’t have to worry about it, whereas the situation is now real. They [the payment brands] are determined to make it happen and have increased the pen­alties involved.

“This is an opportunity for the channel, both around product sales and trusted adviser sales,” he said.

PCI DSS was developed by founding payment brands of the PCI Security Standards Council to “help facilitate the broad adoption of consistent data-security measures on a global basis”.

Twelve-step checklist

It covers a checklist of 12 requirements arranged into six areas: building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management programme, implementing strong access control measures and monitoring and testing networks.

Although meeting most of these requirements can be quite straightforward and the financial and potential reputational costs associated with non-compliance high, most UK end users appear to still be in the dark.

According to a recent survey from analyst Redshift Research, conducted on behalf of security vendor Tripwire, just 11 per cent are currently audited and certified as compliant. The research was published in March and sampled 100 retail, financial services and hospitality businesses in the UK.

Some 35 per cent admitted they did not fully understand PCI compliance requirements, while nearly a third did not know if they would make the September deadline.

Just a quarter (26 per cent) had a dedicated PCI DSS project manager.

Larger level-one merchants, which process more than six million Visa transactions a year, must be audited by a qualified security assessor (QSA).

Alex Teh, commercial director at security distributor Vigil Software, said resellers that are serious about PCI DSS should team up with a QSA.

“We are getting an influx of new enquires for PCI-led technologies,” he said.

“Resellers should work with a QSA to understand what customers require to be PCI compliant. They can then say, ‘we have these services and products that can help with the remediation after the audit is done’.”

Better understanding

Unsurprisingly, PCI awareness was higher among larger merchants. More than half (56 per cent) of merchants in the smallest category – level four – and 36 per cent of level-three merchants said they did not fully understand PCI requirements. This compares with just 14 per cent for level-two merchants, while all level-one merchants said they fully understood the requirements.

Similarly, all level-one merchants were confident of meeting the September deadline, compared with 11 per cent among level-two players, 46 per cent for level-three firms and 38 per cent among level-four outfits.

Jeff LoSapio, security practice manager for application security vendor Fortify, said the bulk of PCI opportunities are now at the lower end of the market.

“Now the larger merchants have tightened up, the criminals are
moving on to easier targets, such as restaurants and hotels. These companies have very little IT security.”

LoSapio urged security resellers to hire at least one PCI specialist. “Retailers are not leaders in IT security and the smaller they are, the more practical advice they need.”

Kilpatrick agreed that the majority of opportunities would be at the lower end, reasoning that banks would be more lenient on mass merchants who do not play ball.

“But for the ones below, it will be a hard shock,” he said.

He advised resellers to move quickly. “There are 12 weeks to go until the September deadline – this is the time to do the sales.”