One thing was made clear at the recent Payment Card Industry Data Security Standard (PCI DSS) user group meeting: Pressure is mounting on companies to comply with PCI DSS requirements, even though no large U.K. high-street retailer has yet managed to do so.
The user group meets regularly in London, and its members represent public and private organisations working to achieve compliance with PCI DSS requirements.
The meeting focused on figures issued by Visa in January, which reveal that just 9% of the U.K.'s Level-1 retailers (those handling more than 6 million card transactions a year) have managed to achieve PCI DSS compliance, and none of those are traditional bricks-and-mortar operations. Online-only retailers without physical stores have largely been successful in meeting the standard.
The main speaker, Neira Jones, head of payment security for Barclaycard, explained how Visa and Mastercard are now putting pressure on non-compliant companies to improve improper compliance practices. For instance, the credit card companies have taken steps to prevent what she described as "acquirer hopping," where organisations switch acquirers if they find their current acquirer is applying the compliance rules too stringently.
Now, she says, non-compliant organisations that exhibit such behaviour are effectively blacklisted by the card schemes to prevent them being taken on by a more lenient acquirer.
Despite these warnings, some attendees still questioned how seriously the rules were being enforced. The CISO from one major clothes retailer said his company had recently changed acquirers in order to cut costs. "The question of PCI DSS never arose in the negotiations with the new acquirer. They were just interested in having our business," he said.
Another member representing a large hospitality chain (who asked not to be named) said: "Are the schemes really going to apply fines or is this just posturing? In our experience, there is a gap between what they say and what they do in practice." Other members echoed that view, saying they did not fear fines, even though they were still a long way from compliance.
But Jones assured her audience that fines are being applied, especially when companies suffer breaches. She reminded members that in October 2009 Visa increased its fine for a data breach at a Level-4 merchant from 2,500 to 10,000.
She added that in the first half of 2009, £200,000 a month was being collected in fines for non-compliance, although the card schemes have since adopted a more conciliatory approach. "It was decided that non-compliance fines were unfair if companies could show they were making progress," she said. "We saw no fines for non-compliance in the second half of 2009."
And there has been progress, despite the lack of full compliance. At the end of 2008, 48% of companies were still storing sensitive card authentication data, but by January 2010, she said, that had dropped to 2.5%.
Some audience members representing large merchants said they were struggling to get the budget they needed to complete compliance projects. Several said it would help if the U.K. had disclosure laws forcing the publication of any breach details and the fines imposed. "If we could show what levels of fines were being handed out, that would help us make a business case [for compliance spending]," said one audience member.
Jones agreed, but pointed out that the full schedule of fines is now available on various websites, including Visa's and that of RBS Worldpay.