Even with the very public data breaches of the last couple of years, many companies still view compliance with payment card industry (PCI) standards as an annual project -- and as a result, 80% of them fail compliance testing done in between those annual updates, according to Verizon Enterprise's latest PCI Compliance report, its fifth.
In the report issued Wednesday, Verizon Enterprise Solutions ' findings show marked improvement in the way businesses are taking PCI compliance more seriously as a part of their security plan and a way to protect credit cards. But they also show that most businesses still view security as something you do as a project, and not an ongoing process, notes Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions.
And that's a problem, because Verizon's research shows a direct link between non-compliance and data breaches. Specifically, organizations that get breached are 36% lower in compliance than the average. Perhaps more importantly, when Verizon looked back at the history of breaches over the past ten years, it found that not a single breached organization was in compliance at the time of the breach.
"Some of them were not compliant at all, and others were just not compliant at the time of the breach," Simonetti says.
As organizations take PCI compliance more seriously, the latter category is of growing concern as it covers companies that make the effort to get compliant but then let it slip.
"Compliance is a tool they need to leverage," Simonetti says. "For too many organizations, compliance is not part of an ongoing risk management strategy. They work on it once a year rather than make it part of their ongoing process."
Another thing the report notes is that data security is inadequate, which is what is leading to the substantial number of breaches making the headlines. Businesses need to do more than put up firewalls and try to prevent these attacks, they need to be working harder to detect them when they happen, to mitigate the damage, he notes.
As usual, Verizon is offering some key advice with this year's report, beyond the usual nudge to businesses to get PCI compliant and stay that way. One of its major bullet points encourages businesses to accurately assess the scale of achieving and maintaining PCI compliance and whether or not internal resources are enough. Of course, this particular piece of advice plays well into Verizon's intention of selling more security services.
But the company also is encouraging companies to see PCI compliance as part of a comprehensive look at security that can reduce costs and eliminate duplication, and to maintain their own ongoing compliance efforts.
— Carol Wilson, Editor-at-Large, Light Reading