UK hospitality sector mistaken about PCI compliance
Orthus Limited recently completed a survey of Level 4 merchants in the UK's hospitality industry. In the survey, numerous organizations claimed they were PCI compliant. According to Orthus, 77 percent of those that claimed PCI compliance are not actually working within the regulatory standards.
The survey, which polled more than 1,000 organizations, found 94 percent of respondents have not completed required vulnerability scanning mandated by the PCI DSS council. Furthermore, just 36 percent said they have completed security penetration testing. Another 9 percent claimed to have security policies in place. However, none of the respondents had performed mandatory wireless network testing. Just 24 percent of respondents had completed a self assessment questionnaire, and only half of those actually sent the result to their acquirer. What's more, all of those survey responses deal only with those respondents that believed they are PCI compliant.
Orthus concluded that these results indicate that many merchants do not properly understand PCI compliance and are not equipped to meet the regulations. Part of the reason merchants do not understand the regulations, Orthus explained, was misinformation from vendors. A majority of survey respondents that said they were PCI compliant did so because a vendor told them they needed to be equipped for vulnerability scanning, and gave merchants the impression that systems were secure when they actually were not.
"Misinformation is a significant problem in the market. Vendors are selling their products as facilitating PCI compliance and buyers are not doing their homework. If the vendors are affiliated with an Acquiring Bank their products are even perceived as required for compliance so after a Merchant purchases them, they naturally assume they are now compliant," said Courtney Bryant, data compliance specialist at Orthus.
In a recent TechTarget report, industry experts Joshua Corman, from the 451 Group, and Paul Judge of Barracuda Networks debated the impact of PCI compliance on security as a whole. According to Judge, the PCI DSS has fueled new developments in security, helping keep consumers and businesses safe in a quickly changing environment. Corman agrees that PCI regulations have fostered some innovation, but said they also are falling behind in certain areas and are currently stifling industry improvements. In most of these cases, Corman said the PCI DSS is simply outdated, and companies are often content to maintain standards set by the PCI instead of going beyond the requirements.