After nearly two years of persuasion, only one UK merchant in 10 currently complies with the credit card issuers' new security standard PCI:DSS, according to a report from secure transaction specialist The Logic Group.
The survey covered top UK retailers, financial services institutions and other businesses that accept card payments. It found only 11% of respondents are fully compliant with PCI:DSS.
However, merchants all know about it. Awareness is 100%, up from 85% last year and 45% two years ago. Eight out of 10 have assessed the impact PCI:DSS will have on their businesses, up by 56% from last year.
Despite these awareness levels, the survey shows that there has been only a 9% increase in PCI compliance in the past 12 months. A further 6% of respondents have either not started becoming PCI compliant or are not even planning to. More than half (53%) of those surveyed have received little or no support or information from acquiring banks, card schemes, suppliers and consultants.
Mark McMurtrie, marketing director at The Logic Group, said, "The critical next step for most businesses is to get board approval for the necessary remediation work to be sanctioned."
Robin Adams, head of Logic Group's security consulting, said most firms underestimate the time needed to become compliant. "The first six months are needed mainly to assess and plan the project, and it takes the following 12 months to bring the policies and practices into compliance," he said.
The survey showed 69% of merchants still have six months or more to become compliant, and 9% have no plans to implement the standard in the near future.
Adams said the initial drive for compliance has concentrated on payment processors and the largest retailers. But now the focus is shifting to medium and smaller outlets.