UK companies handling credit card data must be compliant with the Payment Card Industry Data Security Standard (PCI DSS) by 30 June 2007 or face being dumped by credit card companies.

The deadline had originally been pushed back from 30 June 2006 because of the introduction of chip-and-pin.

"Chip-and-pin delayed companies becoming PCI compliant because the credit card companies said that they could not do both at the same time. It's a big move in the UK market," Jon Shaw, European sales manager at encryption firm Ingrian, told vnunet.com. 

Shaw explained that the cost of chip-and-pin had led to the delay. "After chip-and-pin Visa, MasterCard and American Express had a big push on PCI. But a lot of the major retailers were not particularly happy," he said. 

However, Ingrian maintained it is unlikely that the deadline will be pushed back again.

"It is possible that the deadline could shift, but it is not probable," said Erich Baumgartner, vice president of sales and marketing at Ingrian.

Baumgartner explained that the PCI standard is made up of 12 or 13 different criteria, 10 of which are technologies that a lot of companies already have in place.

"They can show the auditor that they are using their intrusion detection systems this way, they are using their firewalls that way and they have virtual private networks so that information is encrypted in transit," he said.

"But the big gap is that nobody has been deploying encryption to secure that sensitive data when it is at rest."