Merchants get failing grade on compliance with payment card standards

Only 21% of businesses were fully compliant with the PCI DSS standards at the time of their initial audit, according to the 2011 Verizon Payment Card Industry Compliance Report, which is based on findings from more than 100 PCI DSS assessments conducted by Verizon, as well as data breach investigations. This is similar to the percentage of compliance found in the previous report.

“There is not a lot of upward movement. There is stagnation” in terms of PCI DSS compliance, said Wade Baker, director of risk intelligence with Verizon.

The report attributed the failure to overconfidence, complacency, and a lack of focus on PCI DSS compliance on the part of businesses.

“Some [companies] are thinking, ‘Well, we passed last year. We went to the trouble so this year we can kick back and take it easy’. And they find that that doesn’t work”, Baker noted.

“One of the main challenges in the entire realm of security is maintaining a state of security continuously and comprehensively”, he added.

In addition, the report found that the lack of PCI DSS compliance is linked to an increased risk of data breaches. Malware and hacking were the most common methods used to gain access to cardholder data.

Businesses struggled the most to comply with PCI DSS requirements 3 (protect stored cardholder data), 10 (track and monitor access), 11 (regularly test systems and processes), and 12 (maintain security policies), all of which are directly linked to protecting cardholder data, the report said.

“If they are not checking and validating [systems and processes], then it just goes without saying that they are going to quit doing things over time”, Baker opined.

The report found that businesses are not prioritizing their compliance efforts based on the PCI DSS Prioritized Approach developed by the PCI Security Standards Council. The Prioritized Approach presents six milestones, listed according to priority, that businesses should reach: 1) remove sensitive authentication data and limit data retention; 2) protect the perimeter, internal and wireless networks; 3) secure payment card applications; 4) monitor and control access to your systems; 5) protect stored cardholder data; and 6) finalize remaining compliance efforts and ensure all controls are in place.

“There are many different To Dos on the PCI To Do list. Obviously, they are not all equally important….We would hope that businesses are prioritizing their efforts according to the Prioritized Approach, but the fact is they are not”, Baker said.

What’s Hot on Infosecurity Magazine?