Tripwire raises concerns over payment card...

Research has found a majority of companies in the hospitality and leisure industry in the UK are not compliant with new rules on credit card payment security.

Redshift Research did the survey on behalf of IT provider Tripwire ahead of a Payment Card Industry Data Security Standard deadline this September.

It found 89% of companies in the hospitality and financial services sectors were not currently audited or certified as compliant.

Rob Warmack, senior director of international marketing for Tripwire, said: “As the evolution towards a cashless society continues to gain pace, every organisation from insurance companies to financial services, hospitality to retail is becoming reliant upon credit and debit cards.

“The research demonstrates that there is now a growing awareness of the importance of PCI DSS standards, however with only a small minority of companies currently certified as compliant many organisations are facing an uphill battle to meet the September 2010 deadline.”

Guy Washer, managing director of Redshift Research, added: “The results suggest that many companies could actually be taking a ‘blind faith’ approach to PCI compliance.

“Despite the fact that most companies remain confident of meeting the PCI deadline, only a small minority are currently audited and certified as compliant, and there is still confusion over PCI standards.

“There is also a huge divergence between large and small companies in terms of PCI readiness.

“Furthermore, whilst the importance of continuous compliance now seems to be hitting home, organisations are still not necessarily putting in place the processes or tools required to achieve that objective.”

The survey was based on a sample size of 100 retail, hospitality and financial services businesses and found smaller businesses are lagging behind larger ones in becoming compliant.

It also found over a third did not understand PCI compliance and two thirds were not aware of the September deadline for compliance.

One reason suggested for the lack of compliance was not down to the availability of funds to upgrade IT systems.

Just over three quarters of the respondents have not had problems securing funding and resources to ensure PCI DSS requirements are met.

A further 64% agreed that PCI compliance will improve the overall security of cardholder information; 50% said it will improve attention to information and security, and help protect data privacy; and 44% said it will help enhance brand reputation by giving consumers greater confidence.

The majority of respondents were confident they will be able to achieve PCI compliance but 32% were currently responding to issues identified in their PCI DSS pre-audit.

The survey found 27% will put off becoming PCI compliant for as long as possible; 14% have completed a PCI DSS pre-audit but not undertaken any further action; and 14% are not compliant and are not in the process of becoming so.

In addition, 39% of respondents believe that credit card security should be the problem of the credit card companies.

Comparing the results by industry sector, 57% of retailers admitted that they still do not fully understand PCI requirements, compared to 27% of finance companies and 27% of leisure companies.

20% of finance companies said they would not be compliant by the September 2010 deadline, and a further 20% of finance respondents did not know if they would meet the deadline.

Furthermore, 25% of retailers did not know if they would be compliant, whilst only 9% of leisure companies were unsure about hitting the deadline.

Tripwire raises concerns over payment card security compliance