Wednesday, 25 June 2008

European PCI: bad state or bad reporting?

A scary looking headline in The Register this morning informed me that PCI DSS is further behind in Europe than we had previously thought. I read the first paragraph open-mouthed (lips only moving very slightly):
Nine in ten (88 per cent) European firms have failed to achieve compliance with a credit card industry standard for processing ecommerce transactions.
then came across the killer line:
A poll of 65 merchants across Europe by NetIQ
Oh dear. Sorry, but I've complained about this sort of thing before. I'd like to stop writing now, but I have some heavy sarcasm to dish out.

Come on NetIQ, 88% of 65 merchants ACROSS EUROPE, equates to far less than 1% of all the merchants in Europe. After citing 65 as a total, the rest of your statistics cease to make any sense at all:
Worse, the majority (54 per cent) have no timetable for getting up to speed. Only 17 per cent of respondents reckoned that they would be compliant within six to twelve months.
Hmm, so 35 weren't interested, 30 were, but 11 were compliant, or on their way already. I don't really get where the statistical significance over several thousand merchants is between 11 and 35, but let's also look at who you were asking.

I presume these are all NetIQ customers, or people driven to the NetIQ website by promises of not having to do any work that morning, whilst being able to stare at a screen, and therefore look as though they were working, whilst not actually doing anything at all.

Something which again made my blood freeze as I read it however:
Seven out of 10 of those quizzed by NetIQ reckoned that the penalties for non-compliance would only occasionally be levied, while 23 per cent said that fines would "almost never" be issued. Many of the merchants are more worried about dishonest workers than external hackers or business partners.
That's an awful lot of ignorance, even in such a small sample. Wake up guys, this just isn't true. That's 45 merchants out there in Europe who are sitting ducks for a fine after June 30. I presume and hope that these are relatively small merchants, in which case they MAY have a short period of time before the hackers or auditors catch up with them - I am prepared to admit that the spotlight will be on the Tier 1 merchants in the first instance. However, its a bit like relying on everyone else being fatter to avoid heart disease, i.e. stupid.

However, so far, all I can conclude from this survey is that NetIQ customers are ignorant, which isn't a great advert for them.

No comments: