Only 11% of UK Companies PCI Compliant

Market research by Redshift Research on behalf of Tripwire has found that only 11% of UK companies are currently audited and certified as PCI-DSS compliant.

The survey, which sampled 100 retail, financial services, and hospitality businesses, also found that 35% of respondents don't fully understand PCI requirements, and nearly a third don't know if they will be compliant by the Sept. 2010 deadline.

Another key finding was that only 26% of respondents have a dedicated PCI DSS Project Manager. Indeed, 78% say that PCI compliance falls within the remit of IT Security within their organization which adds to an already busy workload for IT security professionals.

Furthermore, only 24% of respondents were completely satisfied with their organization’s ability to alert personnel to unauthorized modification of critical files and maintain file integrity on systems within the scope of PCI; only 44% of respondents were completely satisfied with their organization’s ability to ensure critical systems are properly configured and have the right software patches installed; and only 30% were completely satisfied with their ability to log and track user activities critical to preventing, detecting or minimizing the impact of data compromise.

Small Businesses Lagging

The research study also highlights that smaller businesses are lagging behind larger organizations in terms of PCI readiness. 56% of Level 4 merchants and 36% of Level 3 merchants do not fully understand PCI requirements ; in contrast, only 14% of Level 2 merchants do not fully understand the requirements, while all Level 1 merchants said that they fully understand the requirements. When asked whether they were confident about meeting the September 2010 deadline, 21% of Level 3 merchants said they would not be compliant in time, and a further 25% of Level 3 merchants did not know if they would be compliant in time; 7% of Level 4 merchants said they would not be compliant, and a further 31% said they did not know if they would be compliant. Only 11% of Level 2 merchants were unsure about achieving compliance, while all Level 1 merchants were confident about meeting the deadline.

Comparing the results by industry sector, 57% of retailers admitted that they still do not fully understand PCI requirements [an amazingly high number!], compared to 27% of finance companies and 27% of leisure companies. Twenty percent of finance companies said they would not be compliant by the September 2010 deadline, and a further 20% of finance respondents did not know if they would meet the deadline. Furthermore, 25% of retailers did not know if they would be compliant, while only 9% of leisure companies were unsure about hitting the deadline.

Guy Washer, managing director of Redshift Research, said that 40 per cent of survey requests were refused as he believed that a lot of them were not talking as they were not addressing the issues.

An On-Going Process

Adds Rob Warmack, senior director of international marketing for Tripwire, "One-off PCI DSS certification is not enough. Simple system changes after an audit not only jeopardize PCI compliance but can also create potentially significant security vulnerabilities. We are seeing clear evidence in the marketplace that companies face an ongoing struggle to collage volumes of change and event information across those systems charged with protecting cardholder data and then still maintain compliance between audits. Without automation through continuous monitoring and reporting, the process s both resource-intensive and potentially valueless: why spend months achieving PCI DSS compliance only to slip out of compliance due to a system change within weeks?"