Analyst firm Gartner has slammed efforts by Visa and MasterCard to improve the security of web-based payments.

Both credit card providers are making inroads into bolstering the security of online payments, but their programmes are far too complicated for most merchants, according to Avivah Litan, a research vice president at Gartner.

"Enormous confusion remains among retailers at all levels about how to navigate the Payment Card Industry's complex processes," Litan wrote in a research note.

The PCI Data Security Standard (PDF) defines a series of 12 basic security requirements for merchants, ranging from the need to run a firewall to the tracking and monitoring of all access to network resources and cardholder data.

Although PCI compliance is mandatory, most smaller merchants are not yet participating in the programme.

Litan recommended that Visa and MasterCard should "begin a serious and comprehensive effort to make PCI practical and helpful for retailers and other card-accepting companies".

The complexity of the PCI compliance process will prevent merchants from adopting new consumer security programmes such as Verified by Visa or MasterCard's SecureCode, the analyst warned.

Both programmes allow for improved authentication for online payments by requiring consumers to use a password in addition to entering the credit card number.

Merchants have to enrol in a special programme to be able to handle the secure payments, and PCI compliance is one of the criteria that they have to meet before enrolling.

Merchants have a financial incentive to join the programme as the secure payments will result in fewer charge backs. Visa and MasterCard also offer reduced transaction fees for participating merchants.

But Litan warned that the financial incentives will not be enough to entice merchants to adopt the programme.