PCI Compliance Lagging, Study Says
Verizon Enterprise Solutions said today its first-ever study of industry compliance with credit card security standards shows that companies whose credit card records were breached were 50 percent less likely to have implemented those standards.
So basically, the best way to prevent credit card numbers from being stolen is to use the Payment Card Industry Data Security Standard (PCI-DSS), the industry standard developed four years ago to protect credit card data.
But the Verizon study shows that only 22 percent of organizations were PCI compliant when they were initially examined, in a process known as Initial Report on Compliance, or IROC.
The purpose of the study was to attack the credit card protection problem with data -- not marketing spin -- to show companies the value of compliance or rather, the risks of non-compliance, says Jen Mack, director of Global PCI Consulting Services for Verizon, which announced PCI compliance for its computing-as-a-service offering earlier this year (See Verizon CaaS Gets PCI Approval.)
Verizon, which already does an annual data breach study, is also building on its reputation in the security arena, where it provides managed security services, software-as-a-service cloud offerings, and professional consulting. (See Verizon Scales Security for SMBs and Verizon Tempts Retailers With Managed Services.)
Mack says Verizon was actually surprised that compliance numbers were as high as 22 percent and upon further examination determined that those companies that were compliant either had relatively simple security needs or were veterans of the PCI process.
Other companies tended to clean up their acts after the IROC process to be in closer compliance six weeks later, at the second evaluation, Mack says.
The PCI-DSS requirements provide 12 requirements that cover everything from physical security to network access and control, but the Verizon report shows three particularly tricky standards that companies have trouble meeting –- and that are the top three reasons for data breaches.
Those three are protection of stored data, tracking and monitoring access to network resources and cardholder data, and regular testing of security systems and processes.
The last area might not seem that difficult, but Mack says too many companies work hard to get into compliance and then think they are done.
"We want them to think of security as a process, not an event," Mack says. "Things change and you have to be constantly testing your security procedures to stay up to date."
A large number of companies -– 78 percent -- were mostly compliant, hitting 81 percent of the PCI standards, but it's that "last mile" that can be tough. That's one thing Verizon wants to study further.
"The last-mile approach, that 19 percent that is outstanding, what is that 19 percent comprised of? How much risk is in there?" Mack asks. "If you are looking at a prioritized approach for the PCI Council, that is something we want to metric."
— Carol Wilson, Chief Editor, Events, Light Reading