Verizon PCI Report: Compliance Should Be A Process To Support Security
According to Verizon’s 2015 PCI Compliance Report released on March 12, almost 80 percent of businesses fail interim Payment Card Industry (PCI) compliance assessments.
The report includes an analysis of Payment Card Industry Data Security Standard (PCI DSS) compliance in companies worldwide that experienced data breaches. Verizon’s research shows, since 2009, organizations that experienced data breaches showed “lower than normal compliance with a number of PCI DSS controls.”
During a panel discussion at the National Retail Federation’s Big Show in January, which included a preview of this year’s report, Rodolphe Simonetti, managing director of professional services for Verizon Enterprise Solutions said, “What we can see, from the compliance assessments and the forensics investigation is, in fact, from the hundreds of companies we have seen, not a single company was compliant at the time of the breach.”
Another statistic he shared during the panel discussion linked security to security standards: “We see that most breaches, 99 percent of them in fact, are not a failure of the standards. They’re a failure of the implementation of the standard, and that’s quite important.”
Verizon’s latest research reveals only 29 percent of companies were fully PCI DSS compliant within a year of being validated; however, nearly twice as many companies were found compliant at their interim review in 2014 compared to 2013. Most organizations fail to remain compliant in the areas of testing security systems, maintain secure systems, and protecting stored data. Compliance improved from 2013 to 2014 in 11 of 12 of the PCI DSS controls — the only area where the rate of compliance was lower was testing security systems (40 percent in 2013 to 33 percent in 2014).
Simonetti also points out that the research shows data security is still inadequate, needing to look no further than the number and scale of data breaches over the past year as proof.
At the NRF Big Show, Simonetti said, “Most companies still see compliance as a project — a project they manage for one, two, or three months a year — and they are not using compliance as a process to support security. In fact, that’s the only way to be effective.”
He says PCI DSS compliance should be part of a comprehensive information security and risk-management strategy.
For an in-depth analysis of the 12 PCI controls, compliance against PCI DSS 3.0 and looking ahead to 3.1, and recommendations on how to facilitate and maintain PCI compliance, access the full report here.