PCI DSS requirements still baffling as compliance deadline approaches

PCI DSS requirements can present a serious challenge for some merchants as the September 2010 compliance deadline approaches. A new survey shows that many Level-3 and Level-4 merchants are having trouble understanding the PCI DSS requirements.

New research reveals that one of three U.K. companies still does not fully understand Payment Card Industry's Data Security Standard (PCI DSS) requirements, and only 11% say they are compliant with the standard.

The figures come from a study carried out by Redshift Research Ltd. on behalf of security event management vendor Tripwire Inc. The researchers questioned a cross-section of 100 U.K. companies of various size, drawn from the financial services, retail and hospitality sectors.

According to Guy Washer, managing director at Redshift, compliance programmes have made more progress in larger companies -- Level-1 and Level-2 merchants handling more than one million transactions a year. All the Level-1 merchants said they comprehended the standard, and 86% of Level-2 merchants said they understood it.

More on PCI DSS requirements
Tips to achieve PCI compliance 

Make PCI DSS compliance easier by reducing scope, outsourcing data

But knowledge of PCI DSS was far patchier among smaller merchants. Approximately 56% of Level-4 merchants (those handing fewer than 20,000 transactions a year) said they did not understand the standard fully, and 36% of Level-3 merchants (processing up to a million transactions a year), admitted they were still struggling to understand the PCI DSS requirements.

Knowledge was higher amongst all financial services and hospitality companies, where 73% said they understand what is required, but only 43% of retailers were as confident.

Asked whether they would achieve compliance by September 2010, the new PCI DSS compliance deadline set by the two main card schemes, Visa and Mastercard, all the Level-1 merchants claimed they were on track to comply.

Confidence was almost as high among Level-2 companies, at 89%, but only 56% of Level-3 merchants said they were sure of complying, and 62% of the Level-4 organisations.

But as Washer pointed out, the smaller merchants' confidence seemed misplaced, given that so many lacked a full understanding of the standard's requirements – 44% of Level 4 companies claimed to understand the standard, while 62% said they were confident they'd be able to comply by the September deadline.

"The results suggest that many companies could be taking a blind-faith approach to PCI," he said. "Despite the fact that most companies remain confident of meeting the PCI deadline, only a small majority are currently audited and certified as compliant."

The research is in line with other industry data, which also shows a low level of compliance so far, especially among brick-and-mortar retailers. Neira Jones, head of security services for Barclaycard plc, said she knows of only one Level-1 brick-and-mortar retailer that is PCI DSS compliant so far.

According to Branko Lolich, a PCI DSS consultant with London-based Information Risk Management plc, Level 1 merchants as a whole will more realistically be compliant as an industry by 2012.

In the meantime, he said, Level 1 and 2 merchants should be able to avoid penalty notices as long as they avoid storing track 2 data (from the magnetic stripe) and CVV2 numbers, complete external network scans, have a PCI DSS remediation plan in place with a target date for compliance and provide quarterly updates to their acquirers.

Read more on Regulatory compliance and standard requirements