Companies need to get PCI compliance savvy

Payment card industry (PCI) compliance knowledge is sorely lacking among Australian companies and needs to improve before the next deadline later this year, according to Bridge Point Communications director, Tim Smith.

The deadlines are set by the major payment processing companies, including VISA, which has a deadline of 30 September. MasterCard’s deadline is 30 June 2011.

A survey, conducted by security vendor Tripwire, spoke to 93 Australian merchant companies in the retail and leisure industries. It found that 57 per cent of respondents still do not fully understand PCI compliance requirements, and nearly 30 per cent did not know if they would meet the PCI data security standards (DSS) deadlines.

Smith agreed that 30 per cent would not know the deadline dates but expected more than 57 per cent did not understand requirements.

“Most of the clients I’m working with are those who are reasonably mature and understand the requirements or at least have a grasp, but that’s not always true,” he said. “It depends on who the bank is that is disseminating the information.”

Smith also said the level of support provided by banks to customers regarding the standards varied greatly; some banks say to customers `here you go, get on it’ while others want to take their client through the first step to compliance.

“If the person responsible for compliance is not an IT person, those requirements can be quite daunting.”

He agreed with Tripwire’s survey finding that 16 per cent plan to put off compliance for as long as possible.

“People naturally tend to put things off if it’s not their core business. The deadlines have moved so that can stop a project which needs to be restarted again.”

Another problem for organisations that chose to self assess is they have some self doubt, he said.

“It’s much better if you have the compliance validated. It will make compliance easier as it will narrow the scope of the project.”

Smith’s recommendation for CIOs is to go to the experts for advice.

“It can range from four hours of knowledge transfer to doing the whole lot. It saves a lot of money and time to get guidance up front so you learn how to minimise the scope,” he said.

“Cost will be a factor but the standard is something organisations should be putting in place if they are transacting with a credit card. My recommendation is that companies engage with an expert and it’s not a huge cost from a discovery perspective."

Vectra Corporation director of corporate development, Michael Ryan, said in a statement that he admitted to not being surprised by the research findings. The firm provides IT security services to customers.

“There is certainly a lack of merchant understanding around PCI compliance requirements in Australia,” he said.

“It is clear that PCI DSS requirements are just not known by the vast majority of Australian merchants and more must be done to ensure they are understood. Ultimately, it is the responsibility of the banks to inform merchants of their responsibility to become compliant and reduce the risks of fraudulent activity occurring.”