Study: Businesses still don't understand PCI standards

By Sabah Karimi

In a time when major data security breaches are becoming more common, the credit card industry is taking steps to counteract online and offline security threats. The Payment Card Industry (PCI) Data Security Standard is typically updated every 24 months to ensure that all credit card companies and credit card processing systems are utilizing the latest technologies to protect sensitive data. Yet, the new PCI standards have a September 2010 deadline, but only a small percentage of companies that accept credit cards have taken steps to meet them.

A recent study conducted by Redshift Research on behalf of Tripwire found that a third of merchants still do not know how to be PCI compliant for the September 2010 deadline, and only 11 percent are certified as compliant to date.

Only some credit card merchants have taken steps to conduct necessary audits and replace outdated systems or technologies. SC Magazine reports that 39 percent of survey participants believed that credit card security should be the problem of credit card companies, not the credit card processor.

The primary goal for credit card merchants is to improve security and integrate some of the latest technologies, such as virtualization, which help to reduce security threats.

Failure to comply with PCI standards can result in fines and permanent expulsion from the card acceptance program, according to PCIStandard.com. Therefore it's critical that all merchants that accept credit or debit card payments, or process and store credit card data, learn about the latest PCI standards and take steps to ensure they are compliant.

To meet PCI standards, the company must pass a quarterly vulnerability scan conducted by a Visa and MasterCard "qualified independent scan vendor." The company must also complete a self-assessment questionnaire that asks specific questions about internal security protocol and practices online and offline.

Article by Sabah Karimi

Published: May 12, 2010