Organisations Still Challenged By PCI Security Compliance Requirements

While credit card data breaches remain all too common, a new report from Verizon Business shows that following industry security standards can dramatically reduce such incidents.

In the ‘Verizon Payment Card Industry Compliance Report’ the company examines the state of compliance with the Payment Card Industry Data Security Standard (PCI DSS), which was created in 2006 to protect cardholder data and reduce credit card fraud.

Company investigators found that breached organisations are 50 percent less likely to be PCI compliant and that only 22 percent of organisations were PCI compliant at the time of their initial examination.

In addition to assessing the effectiveness of the PCI DSS, the report identifies which attack methods are most common and provides recommendations for businesses on earning and maintaining PCI compliance.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

“The Verizon Payment Card Industry Compliance Report gives organisations an unprecedented view into the state of PCI compliance across the board, specifically pointing out which requirements are most difficult to meet,” said Peter Tippett, Vice President, Technology and Innovation, Verizon Business. “We hope this report will help organisations approach PCI compliance in a more informed and effective way. Ultimately, we want the same thing as the rest of the industry: fewer payment card losses and data breaches.”

The findings demonstrate that following PCI requirements can reduce the likelihood of a breach. Additionally, to obtain a more in-depth view of the data, Verizon overlaid the findings from payment card breach cases included in the ‘Verizon 2010 Data Breach Investigations Report’ (DBIR), and then analysed the combined data set for commonalities. Top findings include:
Only 22 percent of organisations are compliant initially.
Most organisations were not compliant with the PCI requirements at the time of the Initial Report on Compliance. The majority of the fully compliant organisations were veterans of the process or were not required to comply with all of the requirements.

Compliance, however, is in reach. While 78 percent of organisations are not compliant initially, the findings show that, on average, organisations meet 81 percent of the procedures required by PCI. In fact, three-quarters of the organisations met at least 70 percent of the testing procedures, meaning that with more diligence, they have a good chance of becoming compliant. Only 11 percent of organisations met less than half the testing procedures at the time of their initial review.
Organisations that suffer a breach are 50 percent less likely to have achieved or maintained PCI compliance.
At the end of a forensic or data breach investigation, Verizon investigators assess how compliant the organisation is with PCI. By reviewing this data against official PCI assessments, Verizon analysts determined that organisations that had a data breach are 50 percent less likely to be compliant with the standard than PCI customers.

There is a correlation between data breaches and the difficulties companies face in complying with certain PCI requirements. Of the 12 requirements that comprise the PCI DSS, three of them – protect stored data, track and monitor access to network resources and cardholder data, and regularly test security systems and processes – cover areas that are most vulnerable to security breaches, according to the DBIR.

The report found that the PCI requirements address the most common attack methods used to capture cardholder data. In several instances, multiple layers of controls exist across the standard.

“Our findings demonstrate that adherence to PCI DSS requirements can help organisations deter, prevent and detect likely security threats,” Tippett said.