Technically speaking, the Payment Card Industry Data Security Standards (PCI DSS) - set by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International - say they apply globally to “all members, merchants, and service providers that store, process, or transmit cardholder data.”

Explain, then, why research finds that European companies’ PCI compliance levels are markedly lower than their business counterparts in North America. Perhaps this is by design: credit card brands do not operate as international entities, but rather regional ones. For example, while companies in the U.S. face a July 2008 deadline to implement application firewalls and source code review, Visa Europe says businesses in Europe do not. This also suggests European companies are not as far down the path toward PCI compliance.

What will it take to catch up? Experts say that if these companies are to become PCI-compliant, the card brands and acquiring banks - responsible for educating European merchants - will have to overcome multiple hurdles, including apathy, confusion, and in some cases, outright resistance.

PCI Compliance Varies by Region

How significantly do levels of PCI compliance, and perhaps awareness, vary by region? In the U.S., Visa reported that as of August 2007, 44 percent of tier 1 merchants (processing 6+ million transactions annually) and 38 percent of the tier 2 (processing 1-6 million transactions annually) complied with PCI.

In the UK, however, a survey found only about 1 in 10 retailers, financial service institutions, and payment processing services is compliant. The September 2007 survey of retailers, financial services institutions, and payment processing businesses, conducted by The Logic Group, also found that while all companies reported awareness of PCI - up from just half in 2005, and about 75 percent were pursuing PCI compliance, less than half expected to finish by 2009.

Is the rest of Europe even farther behind on the PCI compliance curve? A Visa Europe spokesperson says that “PCI compliance does not differ significantly in the Visa Europe markets.” Some industry watchers, however, disagree. Says Mathieu Gorge, CEO of VigiTrust in Dublin, “The [PCI] leaders in Europe right now would probably be in the UK, Ireland, and the Nordics.” Partially, he says, that’s because North American PCI product and service vendors often sell directly to the British Isles too, which has raised PCI awareness, implementation levels, and PCI Qualified Service Assessor [QSA] demand and experience accordingly.

Follow the Breaches

British companies’ awareness of PCI, at least, should come as no surprise. For starters, Britain has recently been beset by data breaches, at insurer Norwich Union Life, the Ministry of Defence, as well as numerous government agencies. In addition, the TJX data breach - its British stores are known as TK Maxx - did not go unnoticed, says Robin Adams, director of security consulting at The Logic Group. “TJX and the associated TK Maxx headlines in the UK last year certainly raised the visibility of PCI.”

If other parts of Europe don’t seem as preoccupied with PCI, that may be because they have less of an identity theft problem to begin with. “The U.S. has had some very, very bad situations where lots of data was stolen and compromised, and the UK is also really bad,” says Martin Kuppinger, founder of Kuppinger Cole Ltd., an analyst firm based in Düsseldorf, Germany. “But you don’t see as much of it in central or mainland Europe.”

Not coincidentally, Europe also has less of a credit card culture. “Inside mainland Europe, we have a special debit card given out by our banks which is not credit card company issued - not Visa, or MasterCard, or Diners Club,” says Sebastian Rohr, senior analyst at Kuppinger Cole. “These are straight debit cards.” Likewise, consumers can share their bank account number and routing codes with an e-commerce site to have funds withdrawn directly.

On the other hand, could European data breaches simply be going unreported? Europe still doesn’t have a unified data breach notification requirement, notes Austria-based Oliver Eckel, head of corporate security at Bwin Interactive Entertainment AG. “Data privacy, yes; but data protection laws, no.” That could change: the European Commission did finally propose such a law in December 2007. If ratified, however, each EU member state would then need to create and implement its own version.

Facing National Resistance

Another hurdle for PCI in Europe is that some organizations with control over national cards appear to be resisting the standard. “I want to remain diplomatic, as much as I can,” says VigiTrust’s Gorge. “But one thing that is for sure is, the Groupement des Cartes Bancaires in France is making no secret that they don’t agree with PCI being imposed on French entities.” At a recent PCI Forum meeting in France, for example, he says officials from both French and German card concerns questioned whether they needed PCI at all, especially because national French cards, at least, have since 1992 utilized a microchip requiring a cardholder to enter their PIN before the card can be used in a point-of-sale transaction.

Visa Europe’s response to questions of national resistance is blunt: “All organizations that process or store Visa account data are obliged to be PCI DSS compliant. Cartes Bancaires is no exception - French co-badged Visa cards used domestically need to be protected, as do all payment cards.” (Indeed, smartcards such as France uses won’t secure “card not present” - such as e-commerce - transactions.)

The Educational Imperative

Mandates aside, making the case for PCI in Europe appears to require further justification, or at least clarification. Kuppinger, for example, relates that at a recent PCI-themed meeting of his CISSP chapter, confusion seemed to predominate. “There were a number of questions - everybody was unclear about who needs to get certified, and who needs to get compliant with PCI.” To be sure, he thinks that larger German entities covered by PCI are already well aware of its requirements. Beyond that, however, he’s heard relatively few PCI-related discussions.

Who’s responsible for educating merchants? That requirement rests with acquiring banks. In addition, a Visa Europe spokesperson says it “holds educational sessions and publishes informational materials in several European languages” - implementation guides for members and merchants written in English, French, German, Italian, Spanish, and Turkish.

More, however, may be required. “I think where the brands are letting themselves down, so to speak, is they’re not doing enough educational work. And they may be relying on QSAs to do that, whereas QSAs are more focused on validating [PCI] compliance,” says Gorge. As a result, many European companies have adopted a PCI “wait and see attitude.”

Security Versus Compliance

Of course when these companies do begin pursuing PCI compliance, it won’t happen overnight. As Eckel notes, PCI “changes the way you do business,” and retooling business practices takes time. He should know: to comply with PCI, Bwin transferred its multiple credit card processing operations to a single, newly formed “daughter company,” now a tier-1 level merchant.

While the overhaul took only eight months, as an Internet-based business that survived the dot-com bust, Bwin is used to rapid organizational change. Whereas at other types of companies, the compliance process might take longer; some consulting firms say 18 months is not unusual. “Many companies don’t already have the basic security processes in place that they require,” says Eckel. For example, many “are not ISO [17799 or 27001]-compliant, and to be honest, most companies probably just don’t do best practices in the security area.”

Perhaps some European companies still haven’t learned lessons that their American counterparts are discovering the hard way. “It goes back to that whole thing of, being compliant will make you secure,” says Gorge, referring to a misconception common to companies with immature information security and IT compliance practices. “Whereas it’s the opposite: being secure will make you compliant.”

Will it take a TJX-size data breach in Europe to rally local information security holdouts, and overcome lingering apathy, confusion, or resistance to PCI? Time will tell.

About the Author: Mathew Schwartz is a freelance business and technology journalist who regularly covers IT, information security, and compliance trends.