UK PCI compliance slow, but card fraud trends downward

Despite what could be considered painstakingly slow progress toward compliance with the Payment Card Industry Data Security Standard among UK organisations, recent statistics show it may be working to reduce payment card data theft. Still, the spectre of card data theft looms.

A reminder of that danger came in January, when cosmetics retailer Lush was forced to close its website after discovering that hackers had been stealing customers' credit card details for up to four months previous. The company has since had to rebuild both its systems, and, more importantly, its brand.

Lush's new temporary trading site provides plenty of details about the steps the company has since taken to make sure nothing similar happens again. It even provides an account of the various new technology partners it is working with, as well as attesting that its payment processes are now fully PCI DSS compliant.

"We occasionally get terrified merchants coming to us saying 'I don't know what to do, I have no idea what PCI is; please help.'"

Jan Fry, Procheckup Ltd.

However, Lush is by no means alone in its earlier ignorance of (or disregard for) PCI DSS, according to Jan Fry, head of the PCI auditing practice at penetration testing company Procheckup Ltd. "We occasionally get terrified merchants coming to us saying, 'I don't know what to do; I have no idea what PCI is. Please help.'" he said.

Many merchants also confirm their acquiring banks have so far put little pressure on them to become compliant with the standard. "PCI DSS is still not a priority for some big companies," Fry said. "They have the power to put it to one side, and the banks don't necessarily chase them about it because they don't want to lose that customer."

Nevertheless, card fraud is still trending downward. In March of this year, the UK Cards Association, a trade body for the payment card industry, announced that credit and debit card fraud trends in the UK had fallen to a 10-year low.

Overall, card fraud in 2010 was down 17% from the 2009, and losses due to cloned or skimmed cards dropped by 41%. In the same period, card-not-present fraud (where customers order online, by phone or by mail) also fell by 15%.

The association said the reduction in fraud had come as a result of more fraud-detection tools used by banks and shops, and the increased use of chip and PIN cards, It's unclear whether PCI DSS programmes are also having an effect, even where companies have not yet reached full compliance.

While the trend is encouraging, card fraud losses are still staggering. In 2010, they amounted to a massive £365.4 million; in other words, approximately £1 million per day for every day of the year.

As Detective Chief Inspector Paul Barnard, head of the Dedicated Cheque and Plastic Crime Unit, commented: "Whilst another drop in fraud is good news, the fraudsters haven't shut up shop, which is why there can be no room for complacency on the part of the banking industry, retailers, law enforcement or indeed customers themselves."

For the retailers, that means pressing on with making their own systems and procedures for handling card data more secure, and for most that includes achieving PCI DSS compliance. And as figures published in January by Barclaycard (see sidebar) show, while PCI DSS compliance projects are making some progress, most industries still have a long way to go. However, for Neira Jones, head of payment security for Barclaycard, the compliance index only tells half the story.

"Compliance is growing, but now the conversation is more about risk," she saidw. "It should not be just about an annual audit, but more about avoiding customer data being breached or used fraudulently. It is becoming more about sustainable investment. It is a more adult approach."

In other words, compliance by itself does not necessarily equate to security, although it can be a good starting point. Jeremy King, the European director for the PCI Security Standards Council, makes the same point, describing PCI DSS as "the first three feet in a 10-foot wall of security."

He also promotes the prioritised risk approach (a downloadable guide to this approach is available from the PCI Security Standards Council) that seeks to focus efforts first on the most sensitive authentication information.

So does it matter if a company is not going to be compliant in the near future? "No, as long as they aren't breached," Jones said. "Big organisations have complex environments, and we are working with them on the risk-based approach to achieve a sustainable investment in information security."

But, PCI DSS compliance is still a necessary step toward the ultimate goal of keeping sensitive data secure, and all organisations need to demonstrate to their acquirers that they have a proper plan for achieving it, even if they still have some way to go.

Procheckup's Fry said many organisations get bogged down with technical aspects of the standard. "The gritty technical details can prove difficult," he said. "Historically the biggest difficulties have been around logging. Companies struggle to understand what they need to do to fulfil the requirements. For instance, what would an investigator need to track the movements of a hacker in the network?"

Fry is also sceptical about the effectiveness of the standard. "The way technology is moving, organisations find it hard to keep control over their environments," he says. But the Security Standards Council is caught between trying to keep pace with technological changes, and giving stability to merchants. "If the Council tries too hard to keep up, then people will complain there are too many changes taking place," Fry says.

In the meantime, card fraud is still falling, and Barclaycard's Jones attributes this, in some measure, to a general higher awareness of the dangers. "Everyone is more aware about security - merchants, retailers, consumers, third-party payment providers. They don't fall that easily for simple scams," she says. "And there is more awareness of the PCI standards."