Only 28% of organizations were still fully compliant with the PCI DSS card industry standard less than a year after being validated, although compliance in general doubled in 2014 compared to the previous year, according to Verizon.
The firm’s 2015 PCI Compliance Report offers an interesting snapshot of a standard originally devised by the card companies to promote better card data handling and security, with one eye on reducing damaging breaches.
This year’s report found that nearly 80% of businesses fail their interim PCI compliance assessment, exposing them to cyber-attacks although the majority correct this by their final assessment.
Nevertheless, this tends to suggest many firms are still operating a tick box approach to compliance.
Regular testing of security systems and processes and maintaining firewalls are the two areas where organizations fall out of compliance most often. In fact, testing was the only one of the 12 PCI DSS requirements where compliance fell – from 40% to 33% between 2013 and 2014.
Kim Haverblad, Northern Europe PCI professional services manager at Verizon, told Infosecurity that compliance often dips when a new version of the standard is introduced. PCI DSS 3.0 went live on 1 January 2015.
However, on the plus side, compliance went up for the remaining 11 requirements, by an average of 18%, Verizon said.
While PCI DSS is not a silver bullet, it should also be noted that, of all the data breaches studied in the report, no firm was fully compliant at the time.
Haverblad admitted that PCI DSS compliance is often seen as a burden by firms.
However, he added that this burden can be reduced if IT managers are able to “find synergies with other similar projects” like IT service management, or “ongoing activities within an organization which can contribute to cost sharing for PCI DSS programs.”
“While PCI DSS is be a challenge for any organization it’s all about simplicity; most organizations tend to make things far more complicated than needed. It’s all about making things easy and understandable, and ensuring the correct scope is applied,” he told Infosecurity.
“If you don’t need to process, store and/or transmit critical data, don’t do it. We have a tendency not to review business processes, but if we did we would see that often these tend to include steps which aren’t necessary anymore, due to business and technology changes”
David Oder, CEO of US payment gateway Shift4, speculated that compliance may have become too complex.
“There is no silver bullet for security; however, true point-to-point encryption (P2PE), coupled with tokenization, provides merchants with a multi-prong security strategy that greatly enhances their security posture and reduces their breach profile,” he added in a statement.
“The trouble is, PCI is refusing to validate certain types of security solutions – even though they are more secure and more useful to merchants than what is currently validated. Merchants need the maneuverability to select solutions that provide security beyond compliance.”
The report is compiled from thousands of assessments by Verizon’s PCI Qualified Security Assessors for mainly Fortune 500 and large MNCs.