Orthus Survey Indicates Over 75% Of Hospitality Sector Mistakenly Believe They Are PCI Compliant

March 7, 2011 - PRLog -- The findings showed that 77% of the 1000 Level 4 Merchants surveyed claiming to be Payment Card Industry (PCI) Data Security Standard (DSS) compliant – were in fact not compliant.  The survey results also indicated:

•   Of the respondents claiming to be PCI compliant, 94% stated they had conducted the required vulnerability assessment scanning.
•   Of the respondents claiming to be PCI compliant, only 36% stated they had conducted required security penetration testing.
•   Of the respondents claiming to be PCI compliant, only 9% stated they had security policies.
•   Of the respondents claiming to be PCI compliant, not 1 had conducted the required wireless scanning.
•   Only 24% of the respondents stated they had executed a self assessment questionnaire (SAQ).
•   Of the 24% who had executed a SAQ, less than 50% had stated they had submitted it to their Acquirer.

The results of the survey are disturbing and indicate that businesses do not understand the PCI DSS requirements and what constitutes compliance. Almost all of the Level 4 Merchants surveyed who mistakenly believed they were compliant stated that they were told by a vendor that compliance entailed conducting vulnerability scanning. Upon completing the scanning, the Merchants understood themselves to be compliant and therein lay the problem. Merchants are getting their information primarily from vendors who have a vested interest in selling their product.  (http://www.orthusintel.com)

“Misinformation is a significant problem in the market.  Vendors are selling their products as facilitating PCI compliance and buyers are not doing their homework” says Orthus Data Compliance Specialist, Courtney Bryan.  “If the vendors are affiliated with an Acquiring Bank their products are even perceived as required for compliance so after a Merchant purchases them, they naturally assume they are now compliant” states Bryan.  

“Something has to be done about this problem. Merchants need unbiased advice and assistance with implementing this risk management framework to prevent card data theft and fraud. There is a real knowledge void in the market about what constitutes PCI DSS compliance and until it’s addressed - vendors will continue to exploit it while the Merchants carry the risks” says Bryan.

For more information or a copy of the survey entitled: “PCI Compliant: Are You Really Sure?” contact cathy.jacobs@orthus.com

# # #

Orthus is a leading provider of Information Security, Business Continuity, and Data Compliance services, with over 100,000 supported systems globally. Orthus provides a range of simple packaged solutions to identify, minimise and manage security, compliance and business continuity gaps before incidents escalate.
These services are delivered by Orthus resilient infrastructure and supported by expert consultants backed up by unsurpassed service level guarantees and full cost coverage for data breaches, compliance failures and downtime. This ensures incidents are caught before they become major problems and customers can continue with Business as Usual, Guaranteed at a low predicable cost. For more information, please visit http://www.orthusintel.com