PCI commentators and recent surveys have again reinforced the importance of the Payment Card Industry Data Security Standard, as well as highlighting the penalties and pitfalls of ignoring PCI DSS guidelines. Writing for Infosecurity Magazine, independent security analyst Mark Gillespie collates and analyses recent findings which support and promote PCI DDS.
Gillespie identified the current confusion surrounding the application of and adherence to PCI DSS. Since its introduction in 2004 a number of big name brands have incurred fines for improper protection of cardholder data. The highest profile case occurred in 2007 when high street chain TK Maxx was penalised for a lack of adequate safeguards in its payment card system.
Gillespie utilised statistics taken from a recent study carried out by the Ponemon Institute and independent research organisation Impervia. Of all the companies within the scope of PCI DSS, 71% do not invest in a security strategy for cardholder information. That 79% of companies questioned had in fact experienced a PCI-related breach suggests that much improvement is needed.
The statistics illustrate that it is the smaller companies, employing less than 1000 people that are least likely to conform to PCI DSS recommendations. Since a vast majority of the global economy is driven by these smaller businesses, the importance of universal PCI DSS conformity becomes clear.
Gillespie went on to suggest that the general reluctance to recognise PCI DSS would change over the coming months and years. With credit card companies such as Visa promoting the importance of PCI DSS compliance, a wider understanding and appreciation of the rules is gaining momentum. An October 2009 awareness campaign by Visa prompted financial giants HSBC to better explain PCI DSS to customers.
Gillespie concluded that both virtual and physical security is required to ensure the effectiveness of PCI DSS and thus the relegation of its implementation to IT departments will compromise its impact. Whilst PCI DSS compliance can prove to be financially challenging for smaller enterprises, it is hoped that co-operation and cohesion will eventually lead to safer, secure transactions for customers and less embarrassment for firms governed by the guidelines.
