A recent survey of 80 North American businesses about the Payment Card Industry Data Security Standard by RSA had an interesting finding. While nearly all — 90 percent — think the standard’s requirements will be effective for protecting cardholder data, a little over half have not reported compliance.
So all these companies think PCI is a good idea but most aren’t doing it, despite all the passed deadlines and threats of fines? What gives?
“We found that a lot of merchants still don’t really understand PCI. They’re still trying to understand the requirements,” said Steve Preston, solutions marketing director at RSA, a division of EMC.
“If you really pull it apart and look at it, it’s pretty comprehensive and prescriptive. For a set of best practices, it’s pretty clear,” he said, but added, “the devil’s in the details.”
For the unitiated, the PCI DSS is a set of 12 basic requirements set forth by Visa, MasterCard and other payment card associations for any organization processing credit cards. There are multiple subrequirements covering encryption, access controls and more.
According to the RSA survey, more than half of the respondents said tracking and monitoring access to the network and systems with credit card data is a significant technical challenge when it comes to PCI compliance. Encrypting card data, managing encyryption keys and log management were other trouble spots, Preston said. Some companies don’t even know where credit card data is in their network.
RSA, of course, sees an opportunity here. On Monday, it announced a set of products and services to help companies comply with PCI. Preston says PCI compliance is more than a security issue; it’s an information management one. RSA’s portfolio is designed to help businesses find and manage credit card data, secure it, and to sustain the controls.
Time will tell if the strategy pays off. PCI isn’t anything new (it grew out of Visa’s 2001 security program) but businesses still don’t seem to be taking the standard all that seriously, if RSA’s survey is any indication. Merchants that process more credit card transations (PCI Levels 1, 2 and 3) reported a higher level of compliance than Level 4 merchants processing fewer transactions (55 percent compared to 19 percent) but still, it’s far from overwhelming. And after the TJX debacle, handing over your credit card to a merchant no matter the size still can be unnerving.
When it comes to PCI, Preston summed it up: “There’s a lot of work to do.”