Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

PCI Security Compliance Remains Problematic, Says Verizon Report

Despite the risk of steep fines and increased transaction fees, many businesses are still failing to maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). That’s according to a new report today from Verizon, showing that for the second year in a row, many businesses are struggling to comply with payment card security standards and putting consumers’ information at risk.

Despite the risk of steep fines and increased transaction fees, many businesses are still failing to maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). That’s according to a new report today from Verizon, showing that for the second year in a row, many businesses are struggling to comply with payment card security standards and putting consumers’ information at risk.

PCI Compliance ChallengesAccording to the Verizon Payment Card Industry Compliance Report, most businesses that accept credit or debit cards continue to struggle to achieve and maintain PCI compliance and are also facing pressure from partners and customers to prove continued compliance. According to this year’s Verizon’s report, only 21 percent of organizations were fully compliant during the initial audit. Last year Verizon reported that number to be 22 percent – an inconsequential change in one year. Last year Verizon’s report also suggested that organizations that suffer credit card data breaches were 50 percent less likely to be PCI compliant, indicating that compliance is worth the trouble.

Related Story: New PCI Guidance Spells Big Changes for Virtual Environments

“We had hoped to see more organizations complying with the PCI standard, since we believe that compliance will ultimately improve the security posture of organizations and in all likelihood lead to fewer breaches,” said Wade Baker, director of risk intelligence, Verizon. “By reviewing this report, organizations can see where to focus their efforts and implement our recommendations for helping to accelerate PCI compliance.”

Key Findings Top findings from the 2011 Verizon Payment Card Industry Compliance Report include:

• Difficulty in achieving compliance, along with overconfidence, complacency and the need to focus on other compliance and security issues are among the possible reasons for the widespread PCI noncompliance.

• Organizations struggled the most to comply with requirements 3 (protect stored cardholder date), 10 (track and monitor access), 11 (regularly test systems and processes), and 12 (maintain security policies), all of which are directly linked to protecting cardholder data.

• Failure to prioritize compliance efforts often means high-risk security threats are ignored. Launched in 2009, the Prioritized Approach was created to help organizations identify and reduce risk to cardholder data and to ease the annual PCI process. The report found that rather than using a risk-based approach to PCI compliance, organizations instead rely on the PCI DSS for guidance. As a result, many organizations are ignoring security threats with the highest risk and potential for the largest negative impacts.

• PCI standard offers protection against the most common attack methods. Malware and hacking are the most predominant methods used to gain access to cardholder data. Several overlapping PCI requirements are aimed at protecting against these attack methods.

Advertisement. Scroll to continue reading.

The report is based on findings from more than 100 PCI DSS assessments conducted by Verizon’s team of PCI Qualified Security Assessors in 2010, as well as data gathered by Verizon’s Investigative Response group while investigating real-world payment card data breaches. Additionally, the Verizon Risk Intelligence team overlaid the assessment findings with data-breach cases from the 2011 Verizon Data Breach Investigations Report, resulting in a richer, more thorough data set. The assessments include data from organizations based in the U.S., Europe and Asia, representing for the first time the global nature of the PCI standard.

The full report can be downloaded here.

Related: Public Cloud eCommerce Truths: The Basics of New PCI DSS 2.0 Standards

Related: Strategies for PCI Compliance in Virtualized Environments

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...