New Market Research By Tripwire Finds That Only 11% of UK Companies are Currently Certified as PCI Compliant
- 35% do not fully understand the requirements of PCI compliance
- Nearly a third of respondents do not know if they will be PCI compliant by the 2010 deadline
- Smaller businesses are lagging behind larger companies in terms of PCI readiness
- Only 26% have a dedicated PCI Project Manager
New independent market research by industry analyst, Redshift Research, on behalf of Tripwire, has found that as the September 2010 PCI DSS deadline looms, only 11% of companies are currently audited and certified as compliant. The survey, which samples the views of 100 retail, financial services and hospitality businesses, also found that 35% of respondents still do not fully understand PCI compliance requirements, and nearly a third of respondents do not know if they will be compliant by the September 2010 deadline.
Significantly, at a time when IT budgets are under close scrutiny because of the difficult economic conditions, the survey found that 77% of respondents have not had problems securing funding and resource to ensure PCI DSS requirements are met, suggesting that the importance of PCI compliance is now widely understood at Board-level within businesses. Indeed, 64% agree that PCI improves the overall security of cardholder information; 50% say that PCI compliance will improve attention to information and security, and help protect data privacy; and 44% say that PCI compliance will help enhance brand reputation by giving consumers greater confidence.
However, despite the majority of respondents saying they were confident about achieving PCI compliance, the research survey found that 32% are currently responding to weaknesses that were identified in their PCI DSS pre-audit; 27% of companies will put off becoming PCI compliant for as long as possible; 14% have completed a PCI DSS pre-audit but not undertaken any further action; and 14% are not compliant and are not in the process of becoming so. In addition, 39% of respondents believe that credit card security should be the problem of the credit card companies. Another key finding was that only 26% of respondents have a dedicated PCI DSS Project Manager. Indeed, 78% say that PCI compliance falls within the remit of IT Security within their organisation which adds to an already busy workload for IT security professionals.
Furthermore, only 24% of respondents were completely satisfied with their organisation's ability to alert personnel to unauthorised modification of critical files and maintain file integrity on systems within the scope of PCI; only 44% of respondents were completely satisfied with their organisation's ability to ensure critical systems are properly configured and have the right software patches installed; and only 30% were completely satisfied with their ability to log and track user activities critical to preventing, detecting or minimising the impact of data compromise.
The research study also highlights that smaller businesses are lagging behind larger organisations in terms of PCI readiness. 56% of Level 4 merchants and 36% of Level 3 merchants do not fully understand PCI requirements; in contrast, only 14% of Level 2 merchants do not fully understand the requirements, whilst all Level 1 merchants said that they fully understand the requirements. When asked whether they were confident about meeting the September 2010 deadline, 21% of Level 3 merchants said they would not be compliant in time, and a further 25% of Level 3 merchants did not know if they would be compliant in time; 7% of Level 4 merchants said they would not be compliant, and a further 31% said they did not know if they would be compliant. Only 11% of Level 2 merchants were unsure about achieving compliance, whilst all Level 1 merchants were confident about meeting the deadline.
Comparing the results by industry sector, 57% of retailers admitted that they still do not fully understand PCI requirements, compared to 27% of finance companies and 27% of leisure companies. 20% of finance companies said they would not be compliant by the September 2010 deadline, and a further 20% of finance respondents did not know if they would meet the deadline. Furthermore, 25% of retailers did not if they would be compliant, whilst only 9% of leisure companies were unsure about hitting the deadline.
Commenting on the research results, Tripwire spokesperson says, "As the evolution towards a cashless society continues to gain pace, every organisation from insurance company to financial services, hospitality to retail is becoming completely reliant upon credit and debit cards. The research results demonstrate that there is now a growing awareness of the importance of PCI DSS standards, however with only a small minority of companies currently certified as compliant many organisations will now be facing an uphill battle to meet the September 2010 deadline. In particular, Level 3 and 4 merchants are lagging behind Level 1 and 2 merchants in terms of PCI readiness, suggesting that many smaller businesses have to date perceived PCI standards to be the preserve of larger organisations."
Spokesperson continues, "Companies also need to realise that 'one-off' PCI compliance activity is not enough since simple system changes can not only compromise PCI compliance but actually create significant security vulnerabilities. We are still seeing clear evidence in the marketplace that companies are struggling to collate information to demonstrate a robust audit trail of PCI compliant processes and then still maintain compliance between audits. Without automation through continuous monitoring and reporting, the process is both resource intensive and potentially valueless: why spend months achieving PCI DSS compliance only to slip out of compliance due to a system change within weeks?"
About Tripwire
Tripwire is the leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Over 7,000 customers in more than 86 countries rely on Tripwire's integrated solutions. Tripwire VIA, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organisations proactively prove continuous compliance, mitigate risk, and achieve operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com.
For further information on Tripwire, please contact:
Lisa Williams/Max Deeley
The itpr Partnership
t. +44 (0)1932 57 88 00
www.itpr.co.uk
lisaw@itpr.co.uk