The innovative technology infrastructure that sits behind credit and debit cards is something that the financial services industry can be justly proud of. Its global scope, ease of use and high performance, all make cards a compelling part of modern business activity. That also makes them an irresistible target for criminals.

Indeed, such is the scale and sophistication of card fraud, say trend-watchers at security services company RSA, that stolen details are now traded through online superstores in bulk transactions that include not only upfront sales pitches (“excellent quality guaranteed”) but built-in refund policies and warranty agreements too. But as the business of stolen card details becomes ever more lucrative, the importance of protecting those details has never been more apparent to businesses.

That makes the newly introduced Payment Card Industry Data Security Standard (PCI DSS) – a set of rules that retailers dealing in card transactions are now expected to follow – a significant milestone. But it is also one that many retailers are already struggling to reach.

Bad Dream

While not a law in itself, the US-originated PCI standard promises to wield more than a little commercial clout. Devised by the world’s largest and most muscular credit card operators, including Visa and MasterCard, PCI forms a pre-emptive move to self-regulate the payment card industry and mitigate the escalating costs of global credit card fraud. Failure to comply with the standard, which demands that merchants implement 12 technical requirements in order to protect their customers’ data, could result in steep fines of up to $500,000 or, in extreme cases, a ban on participation in card transactions.

While this last scenario could prove devastating for a major retailer, the good news, argues Amer Deeba, vice president of product marketing for Qualys, the technically prescriptive nature of PCI makes it relatively easy to implement. “If you read it, it really is a very simple regulation. You know where you stand. If you fail, you know what you need to do.” As one of a slew of companies who worked closely with the credit card consortium to devise the standard, on-demand security provider Qualys is hailing the standard’s intrinsic simplicity. But beneath the shell of equanimity, there are some extremely challenging times ahead for IT directors, security officers and compliance officers.

The latter, in particular, says David Taylor, president of the PCI Security Vendor Alliance, have been struggling to successfully comprehend the depth and scope of the standard. Many such individuals, he explains, were recruited during the rush to comply with Sarbanes-Oxley, a governance-heavy regulation largely preoccupied with financial controls rather than technical detail. The intensely technical nature of PCI, therefore, eludes the vast majority of those charged with its implementation, he argues.

But even in organisations where such chores are passed directly to IT management, PCI is not proving to be as easily absorbed as many would claim. At the top end of the scale in particular, where the number of card transactions runs into tens of millions, explains John Walker, CSO of an online financial services firm, “just finding where the standard touches within your environment and infrastructure is a major challenge”, requiring organisations to search out distributed data that has been gathered, across the organisation, over a number of years.

And that can prove onerous. The workload forced Steve Hoy, IT manager at online hotel booking company Conferma, to involve his entire IT team in a six-month compliance project that has been weighed down by PCI’s ambiguity.

It should come as little surprise to the PCI council therefore, that adoption rates are lagging, with nearly 60% of retailers confessing that they don’t fully understand the standard’s requirements and would fail an audit if tested. Simplicity, it seems, is not always a virtue.