Slow take-up of PCI shows lack of compliance with Data Protection Act

By Ron Condon, UK Bureau Chief 11 Aug 2008 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

When it comes to the DPA, we see people doing the absolute minimum, because they know they're not going to get punished. Alan Calder, IT Governance

So what does this tell us about the merchants themselves? One man who thinks we should be very worried is Matthew Tyler, a director with Evolution Security Systems, a consultancy that specialises in helping systems become compliant with a range of laws and regulations.

His close contact with clients in a range of industries has led him to conclude that many companies place very little importance on the way they handle personal and financial data. "If they were already fully compliant with the Data Protection Act, for example, which has been in force for a decade, I don't believe they would find the demands of PCI DSS too difficult. They would be halfway there already. But they are not even compliant with the DPA."

It is an interesting comparison. As another compliance expert, Alan Calder of IT Governance, points out, the Data Protection Act and PCI DSS have little in common. The Data Protection Act covers personal information and works on broad principles, leaving much to the judgement and discretion of each company to act in good faith. By contrast, PCI DSS focuses closely on payment card information and prescribes in minute detail what companies should do to protect it at a technical level.

But Calder agrees that a failure to comply with either regulation betrays a common mindset that would prefer to risk a small fine (or in the case of the DPA, just an enforcement order) rather than spend large amounts of cash on becoming compliant.

As Tyler says, if an individual is affected by identity theft and the loss of a credit card number, it is the identity theft that will cause the most trouble and be harder to fix. "If someone steals my credit card number, the banks will compensate me and give me a new card. If my identity is stolen, then it is down to me to try to prove who I am. It is much more serious."

And yet, progress on both fronts is likely to be slow.

The same apathy applies to PCI, he said. "Merchants in the U.K. simply haven't come under pressure from their acquiring banks to comply. We see Barclays trying to apply some pressure for merchants to comply, but most other banks are not."

He said most companies realise that deadlines for compliance have slipped several times, and there is still no real idea of the level of fines that could be suffered in the case of a breach. "So why would you spend the money, if your bank is not pressuring you, there is no obvious size of fine, and there are not obvious benefits to compliance?"

He points out that if companies have an established information security management system in place, such as ISO 27001 or Cobit, then the task of becoming PCI compliant will be a lot easier. The fact that so many are struggling to achieve PCI DSS probably tells us a lot more about their general state of security.

About the author:
Ron Condon has been writing about developments in the IT industry for more than 30 years. In that time, he has charted the evolution from big mainframes, to minicomputers and PCs in the 1980s, and the rise of the Internet over the last decade or so. He has edited daily, weekly and monthly publications, and has written for national and regional newspapers, in Europe and the US. In recent years he has taken a strong interest in information security and is a former Editor-in-chief of SC Magazine.

Tags: Compliance Regulation and Standard Requirements,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance Regulation and Standard Requirements USB drive security project protects endpoints, aids CoCo compliance Cybercrime attacks, IT outsourcing, mobile malware top ISF threat list The basics of enterprise GRC project management SearchSecurity.co.uk partners with PCI DSS User Group Council boosts compliance efforts with system log management app PCI DSS Q&A: Answering your questions Security budgets take hit in media, tech industry, survey finds Forrester advises cautious approach to cloud computing services NHS imposes USB stick security IAS 6 aims to lock down data from government departments, suppliers

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary