Firms aim to achieve PCI DSS compliance deadline, despite the cost

U.K. businesses are preparing for a worsening economy, but are still working to implement and enforce PCI DSS compliance standards despite the cost and expenses the guidelines introduce.

British business may be cutting costs to survive a worsening economy, but it is finally facing up to one area of expense it cannot put off any longer – PCI compliance.

Although the final Payment Card Industry Data Security Standard (PCI DSS) compliance deadline passed in June this year, it is estimated that possibly less than 10% of merchants have actually been accredited.

But warnings from the card companies and acquiring banks are finally beginning to take effect, and suppliers of PCI technologies are reporting a sudden increase in business.

Graham Jones, U.K. managing director for security firm Integralis AG, said: "Security is being pushed by risk and compliance at the moment. People have to do it, despite the credit crunch. Last year, we were pushing PCI compliance and not getting too much take-up, but now we find companies are coming to us to help them."

Jones said other areas of expenditure are being cut back or delayed: "We are seeing people postponing maintenance and support contracts on their hardware in order to save money, but they are pushing ahead with PCI compliance. It is quite bizarre."

The surge of new business has boosted the finances of Integralis, which saw its revenues grow by 18.4% in the first half of this year, and operating profit by 51.1%. Managed security services accounted for 39% of revenues.

Jones added that he will soon be selling the managed services on an original equipment manufacturer (OEM) basis via a couple of telecommunications companies and systems integrators.

The health of the U.K. security market, especially for PCI compliance, was also underlined by database encryption specialist Protegrity Services Inc., which has just set up a new U.K. headquarters and taken on a new European vice president.

The new man in the job is New Zealander Ian Schenkel, who formerly worked for AirMagnet Inc. and Sygate Technoglogies (now acquired by Symantec), and he sees PCI as his biggest opportunity. "There is a big chunk of the market that has yet to be addressed," he said. "We are talking some quite large organisations who say they need to be compliant by 2009 or 2010. But a lot of the companies we are dealing with are struggling to get their heads around what's required of the standard."

He plans to emphasise first how the Protegrity product set can address different parts of the PCI requirements document and is banking on companies then seeing where encryption can help them in other parts of their business, namely in the protection of all personally identifiable information (PII). "PII is becoming very important in the U.S., and that is a trend we expect to follow in the U.K. and Europe."

Schenkel said PCI had been slow to be adopted in the U.K. because it had initially been presented merely as a guideline, which most companies chose to postpone or ignore completely. "The stick approach has only been brought in during the last six to nine months. But banks and the card companies are now really forcing PCI compliance, and the big tier-1 merchants are coming under tremendous pressure to come into line because they handle million of credit cards."

To cope with anticipated demand, Schenkel says he plans to take on five or six resellers for the UK to handle the Protegrity appliance, and has already appointed Global Secure Systems Ltd. While most sales up to now have been made directly, he says 70 to 80 per cent of sales will go through resellers by the end of 2009.

The banks and card companies are reluctant to give up-to-date figures about PCI compliance. But in a written statement, a spokesman for Visa said: "Over 90% of major UK merchants are either PCI-compliant or committed to achieving compliance, and over 85% of large companies have confirmed they no longer store the sensitive card data that hackers want to steal."

"Visa Europe's stance on retailer compliance [with PCI DSS] is that if merchants have not yet reached compliance, they must be working towards that goal urgently. In the meantime, they should be prioritising fundamentals such as ensuring that they do not store card data and protect their systems from hackers."

Read more on Privacy and data protection