PCI in Europe Today
I attended the 2009 PCI Community meeting in Europe last week. Since this was a feedback year, there wasn’t a significant amount of new content; however, there were some interesting points regarding PCI adoption in Europe.
It’s been discussed quite frequently that the Europeans are behind North America in implementing PCI, especially at the merchant level. In my experience and based on the discussions at the conference, I’d say this is true. The consensus at this year’s conference was that this situation is beginning to change.
The traditional arguments against adopting the PCI DSS, such as those surrounding increased security due to Chip and PIN, elicited a fair amount of eye rolling even from other Europeans in the audience. One of the other core reasons for slower adoption is that country-by-country legislation already covers much of what PCI does (France and Germany were the two most cited examples). Interestingly, U.S. state-based legislation was cited as a similar and perhaps more stringent (and therefore more effective) means of securing credit card data. In fact, one of the attendees cited my home state’s legislation, the Minnesota Plastic Card Security Act, which, in my opinion, has had very little impact on organizations that do business in the state.
I think that there are three key items that will drive PCI’s adoption in Europe. First, the Europeans will need to understand that, while very effective for face-to-face transactions, Chip and PIN does not protect card not present (CNP) transactions. As more business is done online, organizations are going to need to deal with the issues that PCI addresses and that Chip and PIN does not. Second, and perhaps most important, acquiring banks will need to enforce the PCI standard. This was a key topic of discussion at the conference and one that appears to still be open. Finally and highly related, the card brands in Europe are going to need to support the PCI standard. The commentary that I heard at this meeting was that this appears to be happening. If that is the case, it should only be a matter of time before the acquiring banks—and therefore merchants—take PCI as seriously in Europe as they do in North America.
Explore More Blog Posts
CVE-2026-20127 – Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Overview & Takeaways
A critical authentication bypass vulnerability (CVE-2026-20127) has been identified in Cisco Catalyst SD-WAN Controller and Manager. This flaw allows unauthenticated, remote attackers to gain administrative privileges on affected systems. Exploitation in the wild has been confirmed, and immediate action is required to mitigate risk.
Stay Ahead of Cloud Threats: Introducing Azure and AWS Security Reviews
Discover how NetSPI's Azure & AWS Configuration Reviews provide continuous visibility, risk identification, and actionable insights to secure your cloud environments.
Ready for Red Teaming? How to Design Realistic, Intelligence-Driven Scenarios
By adopting an adversarial mindset, you can uncover the blind spots that automated scans often miss, shifting from a reactive stance to a proactive, battle-tested defense.