Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

PCI Compliance Is No Slam Dunk

A new report issued by Verizon this week on compliance with the Payment Card Industry Data Security Standard (PCI DSS) reveals that only 22 percent of the organizations assessed were PCI compliant at the time of their initial examination. But compliance is worth the trouble. According to the report, organizations that suffer credit card data breaches are 50 percent less likely to be PCI compliant.

A new report issued by Verizon this week on compliance with the Payment Card Industry Data Security Standard (PCI DSS) reveals that only 22 percent of the organizations assessed were PCI compliant at the time of their initial examination. But compliance is worth the trouble. According to the report, organizations that suffer credit card data breaches are 50 percent less likely to be PCI compliant.

Compliance is also not a distant goal in most cases. On average, non-compliant organizations were already following over 80 percent of the procedures required by PCI. Unfortunately, the three PCI requirements that cover areas most vulnerable to security breaches — protect stored data, track and monitor access to network resources and cardholder data, and regularly test security systems and processes – are also the ones that companies struggle the most to meet.

According to the report, the top attack methods used to compromise payment card data were malware and hacking (25 percent), SQL injections (24 percent) and exploitation of default or guessable credentials (21 percent).

In addition to tracking problem areas, the report identified best practices found in fully compliant organizations. These include:

• Building security into business processes from the beginning rather than adding it on.

• Aligning compliance and security and handling these issues with a single team rather than treating them separately.

• Treating compliance as a continuous process, not a point-in-time event.

• Avoiding “scope creep,” where activities above and beyond PCI requirements are added in an attempt to ensure compliance. The larger the scope of the assessment, the more costly and difficult it is for the organization to perform.

Advertisement. Scroll to continue reading.

The compliance report is based on findings from PCI DSS assessments conducted by Verizon’s team of PCI Qualified Security Assessors (QSAs) in 2008 and 2009, and a review of a sample of approximately 200 assessments.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...