Skip navigation
Skip navigation
You are using an outdated browser. Please upgrade your browser.

…Confused and contradictory advice is often given by
qualified security assessors…

London, 6 July, 2009: Portaltech, a leading UK eCommerce Systems Integrator and Consultancy, suggested today that the PCI standard has not yet accomplished what it set out to achieve. The PCI Data Security Standard (DSS) is a worldwide information security standard put together by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organisations that process card payments to prevent credit card fraud through increased controls of data and its exposure to compromise. The standard applies to all organisations which hold, process or pass cardholder information from any card branded with the logo of one of the card brands.

Andrew Walker, CEO of Portaltech, commented: “The standard is ambiguous and there is a feeling in the industry that the card issuing companies don’t mind the ambiguity. Even though there have been many versions of the standard, each one is more onerous than the last and has not been successful in ironing out the problems. There is also a concept of ‘scoping’ – where the implementation decisions can reduce the scope to which the standard applies. This in turn causes confusion and means that some systems and processes may fall outside the boundaries of the standard and therefore will not be investigated – even if these systems or processes contain sensitive personal information.”

Walker continued: “It has been suggested by some IT security professionals that the PCI DSS does little more than provide a minimal baseline for security. The fact is, you can be PCI-compliant and still be insecure. Look at online application vulnerabilities. They're arguably the fastest growing area of security, and for good reason — exposures in customer-facing applications pose a real danger of a security breach.” Furthermore, a recent report by Verdict Research suggests that online growth is slowing which means that competition between retailers for online shoppers will be harder and the customer experience becomes more important. However, PCI DSS is a step towards making all businesses pay more attention to IT security, even if minimum standards are not enough to completely eradicate security problems.

Companies have had security breaches while being registered as PCI DSS compliant. In 2008 one of the largest payment service providers, Heartland Payment Processing Systems, suffered a data breach which has been estimated by some as exceeding one hundred million card numbers. Other notables include the Hannaford Brothers and the Okemo Mountain Resort, each of which was PCI compliant. It has been noted that this may be an indication of the limits of a snapshot certification; the evaluation cannot ensure that the target company will maintain the good practices seen in an audit.

Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organisation is handling, but regardless of the size of the organisation, compliance must be assessed annually. Organisations handling large volumes of transactions must have their compliance assessed by a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission. However, Portaltech has found that the advice and assessment can be different depending on the individual QSA – even if they are from the same company – adding further to the standards ambiguities.

About Portaltech
Portaltech is a specialist technology consultancy that focuses on designing, developing, integrating and supporting market leading eCommerce solutions. Our reputation is founded on technical excellence and the ability to successfully deliver complex projects for a range of brands and companies in the Retail, Telco, Consumer Products, Logistics and Media & Entertainment industries. By utilising this cross sector experience with expertise in technology evaluation and selection, project implementation and Web 2.0 consulting services, we are able to advise and support our customers to transact in both online and multi channel sales environments.

Media Contact:
Gillie Tennant or James Cooper
Ascendant Communications
Tel: 0208 334 8041
Email: /

This press release was distributed by ResponseSource Press Release Wire on behalf of Ascendant Communications in the following categories: Retail & Fashion, Computing & Telecoms, for more information visit