PCI Compliance In The UK
Hands up any who still uses cash for most of their purchases? Hmm, very few.
Nowadays the majority of people pay for everything by debit or credit card. Paying by card is so easy that you can walk in to a corner shop, pick up a couple of chocolate bars and use your card. The ability to walk around without having to worry about cash or change is a great feeling. As anyone will testify, when you don’t need a cash machine they’re everywhere, but when you do need a cash machine…
With all this new found freedom and everybody willing to swipe my card, are my details safe?
The banks and card providers have been asking the same question and, as a result, have come up with PCI Compliance. PCI stands for Payment Card Industry, and every single business that takes payment by card will have to become compliant. That’s right, not just the Amazons and PayPals, but your local take away and corner shop as well. Everyone will have to be compliant.
Why?
The banks and card providers are fully aware of problems such as customer’s card details being sold or stolen. For this key reason (and many others) PCI regulations have been brought in to ensure that any company holding card data has proven - through audits - that the data they hold is secure. As it currently stands, we consumers don’t know if a company has a secure server behind a firewall or whether the data is simply held on the store owner’s home computer - with a weak password. The banks and card providers are hoping that these measures will mean consumers have the confidence to use their cards. This is a problem that these organisations are taking very seriously. If consumers don’t have faith in using their cards safely, they just won’t use them.
When?
The original deadline set for all businesses to become compliant in the UK was September 30th 2010. The aim was to ensure Level 1 businesses were compliant first, and then all other level businesses meet compliance thereafter.
A level 1 business refers to Amazon-type companies with over 6 million transactions annually. At the other end of the scale are level 4 businesses, local shop less than 20,000 transactions annually.
In September 2010, Tripwire published a white paper that revealed the readiness of UK businesses for compliance. Below are the key findings from that report.
KEY FINDINGS
• Only 12% of United Kingdom (UK) organisations processing credit and debit cardholder data are currently certified as being PCI compliant.
• 58% of Level 1 merchants have been audited and certified as compliant. This falls to 6%, 8% and 4% for Level 2, 3 and 4 organisations.
• Over half (57%) of retail organisations admit to not fully understanding the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
• Brand awareness and fear of reputation damage is a significant driver for achieving PCI compliance.
• Over three quarters (77%) of organisations have had no difficulty in securing funding and resources to ensure PCI DSS requirements are met.
• 88% of organisations have senior management on the PCI DSS team or working group — a figure that is 100% for Level 1 organizations.
Whilst currently, there is a short fall in compliant businesses, the vast majority of these see PCI compliance as an improvement and have gained the necessary funding to implement it. They have seen what can happen to large corporations such as RBS WorldPay and TJX who both lost vast amounts of card data through breaches, and understand how PCI compliance can improve their security.
This can only be good news for us as consumers as we need to trust our data is being stored securely.
Posts
No comments:
Post a Comment