Slow take-up of PCI shows lack of compliance with Data Protection Act

Experts discuss companies disregard to get compliant with the Data Protection Act and the Payment Card Industry Data Security Standard (PCI DSS), proving there is a lack of enforcement and penalties, which would lead to a security breach, credit card theft or fraud.

It is hard to get accurate figures about the adoption of PCI DSS (the Payment Card Industry Data Security Standard) among U.K. merchants, but everyone agrees it is still low – probably no more than 10%, despite the latest deadline for compliance passing more than two months ago.

When it comes to the DPA, we see people doing the absolute minimum, because they know they're not going to get punished.
Alan Calder,
IT Governance

So what does this tell us about the merchants themselves? One man who thinks we should be very worried is Matthew Tyler, a director with Evolution Security Systems, a consultancy that specialises in helping systems become compliant with a range of laws and regulations.

His close contact with clients in a range of industries has led him to conclude that many companies place very little importance on the way they handle personal and financial data. "If they were already fully compliant with the Data Protection Act, for example, which has been in force for a decade, I don't believe they would find the demands of PCI DSS too difficult. They would be halfway there already. But they are not even compliant with the DPA."

It is an interesting comparison. As another compliance expert, Alan Calder of IT Governance, points out, the Data Protection Act and PCI DSS have little in common. The Data Protection Act covers personal information and works on broad principles, leaving much to the judgement and discretion of each company to act in good faith. By contrast, PCI DSS focuses closely on payment card information and prescribes in minute detail what companies should do to protect it at a technical level.

But Calder agrees that a failure to comply with either regulation betrays a common mindset that would prefer to risk a small fine (or in the case of the DPA, just an enforcement order) rather than spend large amounts of cash on becoming compliant.

As Tyler says, if an individual is affected by identity theft and the loss of a credit card number, it is the identity theft that will cause the most trouble and be harder to fix. "If someone steals my credit card number, the banks will compensate me and give me a new card. If my identity is stolen, then it is down to me to try to prove who I am. It is much more serious."

And yet, progress on both fronts is likely to be slow.

PCI DSS, Data Protection Act fines and penalities
"When it comes to the DPA, we see people doing the absolute minimum, because they know they're not going to get punished," Calder said. "They might take the trouble to register, and they might do a few of the things they are required to do, but few will be fully compliant with all the principles of the DPA."

The same apathy applies to PCI, he said. "Merchants in the U.K. simply haven't come under pressure from their acquiring banks to comply. We see Barclays trying to apply some pressure for merchants to comply, but most other banks are not."

He said most companies realise that deadlines for compliance have slipped several times, and there is still no real idea of the level of fines that could be suffered in the case of a breach. "So why would you spend the money, if your bank is not pressuring you, there is no obvious size of fine, and there are not obvious benefits to compliance?"

He points out that if companies have an established information security management system in place, such as ISO 27001 or Cobit, then the task of becoming PCI compliant will be a lot easier. The fact that so many are struggling to achieve PCI DSS probably tells us a lot more about their general state of security.

About the author:
Ron Condon has been writing about developments in the IT industry for more than 30 years. In that time, he has charted the evolution from big mainframes, to minicomputers and PCs in the 1980s, and the rise of the Internet over the last decade or so. He has edited daily, weekly and monthly publications, and has written for national and regional newspapers, in Europe and the US. In recent years he has taken a strong interest in information security and is a former Editor-in-chief of SC Magazine.

Read more on Regulatory compliance and standard requirements