Organisations struggling with PCI compliance

Security experts have used today's Payment Card Industry Data Security Standards (PCI DSS) compliance deadline to warn against complacency in the industry.

PCI DSS is an industry standard designed to protect consumer credit card data, but participating payment card brands set the deadlines for compliance.

All UK Level 1 merchants that process over six million transactions a year and accept Visa payments need to comply with the current v1.2 PCI guidelines by 30 September.

However, Alan Bentley, international senior vice president at endpoint security firm Lumension, suggested that the standard had left even the largest merchants confused.

"PCI compliance might have been around for some time, but merchants are still struggling to get their heads around the requirements," he said.

"Version 2.0 is just around the corner, meaning that merchants need to be concerned about their ability to prove compliance with v1.2, and with the steps they must take to get to the next stage of compliance."

The PCI Council, which oversees the development and management of the standard, is already working on v2.0 as part of the standards update lifecycle process which spans 36 months.

This process covers publication, feedback and implementation, and the retirement of the older version of the standard by the end of year two.

MasterCard, Visa and other participating payment card brands have rolling deadlines for PCI DSS compliance according to merchant size, which were set up with the standard's introduction three years ago.

Fines for data breaches arising from non-compliance can go up to $100,000 (£63,450) per month, and may result in having the ability to process credit card transactions frozen by the acquiring bank.

However, just nine per cent of UK Level 1 merchants have achieved v.1.2 PCI DSS compliance, according to figures issued by Visa earlier this year.

"All too often, organisations fall into the compliance trap and focus all their efforts on meeting the requirements of a new deadline without thinking about the bigger picture," said Bentley.

"This broken compliance strategy is costly and ineffective when it comes to security. Taking a myopic view of regulatory compliance creates a situation where merchants are constantly reinventing the wheel, wasting time and effort, and ultimately blowing security budgets."