25% of Mobile Network Operator survey respondents not PCI DSS compliant
May 2011 by Vesta Corporation
A survey conducted by Vesta Corporation has revealed over a quarter of Mobile Network Operators (MNOs) are not compliant with the Payment Card Industry Data Security Standards (PCI DSS). A further 35% of respondents did not know that financial penalties could be levied for non-compliance by the card associations.
Today, just 37% of all payments are made with cash or cheque (Federal Reserve Bank of Boston: 2009). Consumer migration towards electronic payment methods means that securing payment information is becoming increasingly important. A number of recent high profile data breaches resulting in the loss of cardholder data, such as Sony, are a testament to this.
In Q1 2011, Vesta invited 16 tier one and tier two MNOs in the U.S. and Europe to participate in a survey assessing PCI DSS compliance. Summarised in a whitepaper available today, Vesta’s indicative research reveals how PCI DSS compliance most impacts operators, how operators are managing compliance, and best practice solutions for maintaining the security standard.
The survey revealed that:
25% of respondents are not currently PCI DSS compliant
The average cost of initial PCI DSS compliance was approximately $700,000 USD
The average annual cost of maintaining PCI compliance was over $1,390,000 USD
35% of respondents did not know that penalties could be levied by the card associations for non-compliance
Respondents believed the greatest risk of non-compliance is the loss of customer confidence in the MNO
In the case of MNOs, PCI DSS compliance is particularly important. Compared to merchants in other industries, mobile operators usually operate more complex electronic payment channels including web, IVR, live agent, SMS and handset application, among others. Ensuring compliance across this range of payment channels provides a number of unique challenges.
“The survey shows that there is clearly room for improvement by the mobile operator community in addressing PCI DSS compliance, and it is critical that operators not yet compliant take appropriate measures to ensure the security of their customer’s sensitive cardholder data,” said Joshua Rush, VP Marketing at Vesta. “However compliance should not be viewed as a mandatory demand by the card associations but as a competitive sales and marketing differentiator at a time where data security is of paramount concern to subscribers.”