The deadline for all merchants to comply with the latest version of the Payment Card Industry Data Security Standard (PCI DSS) passed on 30 June, but despite widespread reports highlighting the penalties for non-compliance and the numerous business benefits, many firms are still failing to meet the standard’s requirements, according to experts.

The PCI DSS was first introduced almost two years ago in the US, in an effort by the credit card companies to improve the security of payment data. Under the scheme, any organisation that stores, processes or transmits customer card details must comply with a 12-point set of requirements (see box). These include encrypting cardholder data, installing user access controls, running up-to-date anti-malware software and performing regular health checks on their systems.

Qualified security assessors such as Symantec and Cybertrust are responsible for auditing companies and validating those that achieve compliance.

Robert Steggles of hosted application management specialist NTT Europe Online said the firm is close to completing its PCI project. He hopes it will improve the firm’s relationships with its customers as they in turn seek to reassure their own customers about the security of card-holder data.

“PCI will be very important. As soon as one firm takes the lead in this space and shows that compliance is a competitive advantage, then the rest will follow. Eventually non-compliance will become a barrier to entry,” Steggles explained. “It’s not exactly a subset of ISO, but because we have ISO 27001 we already had a lot of the procedures in place.”

Steggles added that cultural issues and a lack of board-level commitment might mean some companies struggle to comply with PCI DSS, but that ultimately customer pressure should ensure that the standard gains widespread acceptance.

Confusion among firms

David Taylor, president of industry association the PCI Security Vendor Alliance, said there is still widespread confusion in the business community about the standard, because the rules vary according to which tier a company is in. Tiers one and two cover merchants that process more than 6,000,000 and between 150,000 and 6,000,000 card transactions a year respectively, while tier three covers merchants processing 20,000 to 150,000 card transactions a year. The remainder are in tier four.

“The chief information security officers have only a minimal idea of what they need to comply with because they are used to regulations that say you need to make ‘reasonable efforts’ to comply,” Taylor argued. “Because this standard is so detailed, it has negatively affected compliance.”

The UK is roughly two years behind the US in its timetable for compliance, according to Taylor. The lack of a data breach notification law, which proved to be a big driver for PCI in the US, may also be hindering UK take-up, he added.

A disconnect between IT security chiefs and finance departments may also impede the progress of PCI projects, he added.

“Chief information security officers may not know if they are compliant, even if they did most of the work, because the person in finance has the interface with the acquiring bank and files the reports,” Taylor explained. “There is a really tenuous relationship between the finance organisation, which deals with the banks, and the IT organisation that has to fix the problems. That causes a lot of delays.”

Taylor advised any IT manager who is about to undertake a PCI project to make a list of all the procedures that are outside the IT remit to manage expectations more realistically.

“Put it into a PowerPoint for the chief executive or the chief financial officer if you can,” Taylor said. “It will need someone from finance or the chief executive’s team to get the job done.”

Jacob West, manager of the Security Research Group at application lifecycle security specialist Fortify Software, argued that the standard would be more effective – and that more companies would pass first time – if it was more prescriptive about the steps necessary to implement a secure development lifecycle.

“Rather than alluding to industry best practices, we would like to see the PCI mandate specific activities. They include architectural risk assessment, static source code analysis during development, security testing with specific measures of breadth and depth and application-aware security defences applied to deployed applications,” West said.

Currently, companies can expect to spend a year to 18 months on PCI projects, according to Helen Yu of data loss prevention specialist Vontu. She argued that companies should take a holistic approach to protecting customer data, rather than just ticking boxes to pass the PCI audit. “If you don’t, you could be looking at brand damage, bad publicity and lost customers,” Yu added.

Firms should ensure that they are able to locate where cardholder data is being stored before encrypting. Any magnetic stripe data that is collected during transactions should be wiped as it is a potential security risk and is of no use to the merchant, Yu said.