The vast majority of UK firms have yet to be certified as PCI DSS compliant with a third unsure if they will meet an upcoming September deadline, according to research commissioned by vendor Tripwire.
The survey of 100 retail, financial services and hospitality businesses, conducted by Redshift Research shows that only 11% of companies are currently audited and certified as compliant.
In addition, 35% of respondents still do not fully understand PCI compliance requirements, and nearly a third do not know if they will be compliant by the September 2010 deadline.
The research survey reveals that 32% of companies are currently responding to weaknesses that were identified in their PCI DSS pre-audit, 27% will put off becoming compliant for as long as possible, 14% have completed a pre-audit but not undertaken any further action and 14% are not compliant and are not in the process of becoming so.
In addition, 39% of respondents believe that credit card security should be the problem of the credit card companies. Meanwhile, only a quarter have a dedicated PCI DSS Project Manager with 78% saying that issue falls within the remit of IT security.
Smaller businesses are lagging behind larger companies in terms of PCI readiness, with all Level 1 merchants saying they understand the issue, compared to just 44% of Level 4 firms.
Comparing the results by industry sector, 57% of retailers admit that they still do not fully understand PCI requirements, compared to 27% of finance companies and 27% of leisure firms.
A fifth of finance companies say they will not be compliant by the September 2010 deadline, and a further 20% do not know if they will meet it.
Guy Washer, MD, Redshift Research, says: "The results suggest that many companies could actually be taking a 'blind faith' approach to PCI compliance. Despite the fact that most companies remain confident of meeting the PCI deadline, only a small minority are currently audited and certified as compliant, and there is still confusion over PCI standards."