A new study from Verizon Business found that while organizations may have the best intentions of achieving compliance with the Payment Card Industry Data Security Standard, many have difficulty keeping up with the regulation's requirements, which may be putting sensitive consumer information at risk.
Created by several major credit card brands, including Visa, MasterCard, JCB and AMEX, the PCI DSS is an important data protection standard, as it details many of the best practices for businesses to keep consumer credit and debit card information out of harm's way. Though not regulated by a government body, businesses that fail to adhere to the standard may be subject to fines, forensic audits, card replacement costs and reputational damage.
According to the study, which observed the PCI DSS practices of 100 companies from around the world, the percentage of those that were compliant with the standard has remained steady from last year. In its 2010 PCI compliance report, Verizon found 22 percent of organizations to be fully compliant with the PCI DSS. Twelve months later, that figure has slipped by a single percentage point.
What's surprising is that many businesses actually achieved compliance with the PCI DSS during the testing period, but they were unable to maintain compliant practices throughout the entire year. Verizon described this ultimate stagnation as "a bit disappointing," adding that it had expected PCI DSS compliance to increase as businesses become more familiar with the standard.
"This is clearly an event for them rather than something that is a continuous process," said Wade Baker, director of risk intelligence for Verizon Business. "We're seeing lots of scrambling to get things in order for the assessor and that’s not the intent of PCI DSS at all."
Verizon assessed businesses based on 12 requirements, the majority of which concern data security practices, such as encryption, antivirus software and firewall configuration, among others. According to the study, the areas with which businesses struggled the most were protecting stored data, tracking and monitoring access to network resources and cardholder data and regularly testing security systems and processes.
Furthermore, businesses that achieve compliance under the PCI DSS may generally be better prepared to protect consumer data than others.
"We had hoped to see more organizations complying with the PCI standard, since we believe that compliance will ultimately improve the security posture of organizations and in all likelihood lead to fewer breaches," said Baker.
To this point, Baker may be correct. According to an earlier study conducted by the Ponemon Institute, businesses that are compliant with the PCI DSS are likely to suffer fewer data breaches than those that are not. In a survey of 670 IT security practices, the Ponemon Institute found 64 percent of PCI-compliant organizations have suffered no data breaches in the last two years. Only 38 percent of non-compliant organizations had suffered no breaches.
The Verizon report detailed several of the threats facing businesses handling payment card information. Data sent to external sources and backdoors were the top threats, both accounting for 44 percent of data breaches. Hacking threats such as exploitation of credentials and exploitation of backdoors were next on the list, representing 43 percent and 42 percent of breaches, respectively, Verizon reported.
Less prevalent but still notable threats include tampering, spyware, brute force attacks and interfering with security controls, among others.
There are several steps a business can take to achieve compliance with the PCI DSS. Verizon noted that awareness of the standard and integration of security are two of the top contributors to better data security practices. Perhaps the most important contributor, though, is maintaining practices continuously. Ensuring that employees are constantly running antivirus software, understand data security implications and are aware of the consequences of data protection failure may push a company closer to achieving and maintaining PCI compliance.
Security News from SimplySecurity.com by Trend Micro