I’ve heard a couple of times in recent weeks, figures bandied about, supposedly from the Acquiring Banks talking about the levels of PCI compliance. (I say supposedly because I don’t want to assert something that may not be right, but the sources aren’t too bad!)
Figures as high as 90% of self-assessments (as defined for Tier 2 and below) are coming back (supposedly), 100% ticked off. …… Now I ask; 90% all compliant or 90% not all compliant yet? Did I hear right? Sure did.
Now these figures fly in the face of what we’re seeing out there, so the question needs to be asked – are we only seeing clients that by chance fall into that 10% and not any of the other 90% or does something sound wrong here?
The PCI DSS is not overly complex but it is certainly full of grey areas in terms of depth of compliance and most importantly, what’s in and what’s out of scope. Moreover, it is setting minimum security requirements and controls far ahead of almost anything else that has been thrown at the private sector.
Every client we’ve had that has seriously looked at their levels of compliance vs the PCI DSS standard has had to, to some degree make plans for some changes to their environment – most acknowledging that compliance will be a longer term project for them – resourcing and financial burden needing to be phased.
So what’s the other 90% doing? Keen to share that secret guys? It will be interesting to see what an audit would turn up in the event of an incident…..but then again, will it matter that much if Company X is only a Tier 3? Seriously though, some questions need to be asked if that figure of 90% is accurate.