The Green Sheet Online Edition
March 22, 2010 • Issue 10:03:02
PCI compliance audits are not cheap
#dch_According to a study by global technology provider Thales and research firm The Ponemon Institute, titled PCI DSS Trends 2010 - QSA Insights, large merchants who must undergo on-site Payment Card Industry (PCI) Data Security Standard (DSS) audits spend an average of $225,000 a year toward compliance.
The study also found that 10 percent of these merchants pay $500,000 or more a year.
The report indicated that 2 percent of merchants receiving on-site audits by Qualified Security Assessors (QSAs) fail their audit, and 41 percent would fail without the use of what are called "compensating controls" under PCI rules.
These controls involve certain stopgap measures outside strict PCI guidelines to address technical difficulties.
The study surveyed 155 QSAs worldwide about their customers' spending on annual on-site PCI audits, which the card brands require of large merchants (those processing over 6 million Visa Inc./MasterCard Worldwide transactions a year) to process electronic payments.
Fifty-four percent of the surveyed QSAs said their clients feel PCI DSS compliance is too expensive; 52 percent said most merchants are not proactively taking sufficient measures to handle data security.
Sixty percent said encryption is the most effective technology their clients use to protect consumer data.
Regarding the micromanagement of encryption processes, 41 percent of QSAs said controlling access to encryption keys is the most difficult task involved. Eighty-one percent recommend using a hardware security module for encryption and key management.
Not surprisingly, most QSA respondents said card data is under the greatest threat when stored in merchant networks and databases - an assertion long made by industry security analysts.
For more information, visit iss.thalesgroup.com.
Trends in mobile banking
#dch_According to a research paper by Celent LLC, Are Banks from Mars, Mobile Banking Vendors from Venus?, of the top 50 U.S. financial institutions, 20 offered mobile banking in 2008; 25 did in 2009, a jump of 25 percent.
While this would seem to foretell the continued adoption of mobile banking by other banks that don't presently use it, the report predicts its adoption will essentially plateau among large banks.
According to the report, none of the top 50 financial institutions without mobile banking in 2009 had adopted the service as of January 2010.
Of the remaining 25 institutions not to offer it, almost all are either not truly "retail banks" - meaning they don't have branch networks or offer retail banking products - or are foreign owned.
The report also found that, among all commercial banks, savings institutions and credit unions in the United States, the 25 top financial institutions offering mobile banking account for 45 percent of the nation's mobile banking deposits.
Among financial institutions generally, mobile banking has yet to plateau - suggesting that the growth in this market will likely be greatest among smaller financial institutions. The total number of institutions offering mobile banking between 2007 and 2009 grew from 100 to 613; that number jumped to 696 in the first quarter of 2010.
For more information, go to www.celent.com
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.