Many Companies Will Fail PCI Deadline - Twenty-Four Seven Security

« Better Security Means Spending Less | Main | Podcast with Application Security: Databases in the Crosshairs »

September 27, 2007
Many Companies Will Fail PCI Deadline

This September 30 brings another PCI (Payment Card Industry) deadline, where the major credit card companies like Visa and MasterCard have threatened fines and penalties if retail companies do not meet their requirements, but over a third of the Level 1 merchants (the largest retailers) will not be up to standard. Smaller merchants promise to post an even a higher failure rate.

"Sixty percent of the respondents in the U.S. and the U.K. will plan to be fully compliant in the next year, white 51 percent of companies in Germany and 40 percent of companies in Spain and France are planning to take more than one year to comply with PCI," says Forrester Research in an RSA-sponsored study that appears on Dark Reading. "Twenty-two percent of the global respondents plan to take at least two years or more before becoming fully PCI compliant."

The PCI standard has 230 requirements, and according to a recent VeriSign survey, 53 percent of companies failed to meet at least one of those requirements. That’s an improvement over last year, when the number was 73 percent. And for retailers that don’t make this end-of-September deadline, this will be the third one they’ve missed (the credit card companies had originally set compliance for June 2005). That deadline was extended to 2006, and extended once again until three days from now.

My money is on another extension. By why so many missed deadlines? Experts list three likely culprits: access management, application security, and encryption.

In terms of access management and control, more than 25 percent of the companies are having a difficult time classifying credit card data and securely storing it. Another 25 percent said they are having trouble with their access controls, while another 20 percent brought up access control technologies is their primary problem.

"One of the biggest questions was whether companies should do detailed code review or put in an application firewall," said Joe Lindstrom, senior director of compliance consulting at Symantec, who was a panelist at the meeting. "The standard says you must do either one, but it doesn't require you to do both, so a lot of companies are struggling with what to do there."

Finally, encryption continues to be one of the most problematic hurdles for companies facing PCI compliance. A continuing problem with encryption is the wireless environment, where WEP continues to dominate despite is many weaknesses.

And that’s still dealing mostly with Level 1 merchants, which hardly mentions Level 2 and below. So what is going to happen? If companies continue to fail to meet the PCI mark, look for the long arm of the law to step in. Because if anyone knows how to miss a deadline, it's the government.