The majority of merchants which sign up to payment security standard PCI DSS fall out of compliance less than a year after being validated, greatly increasing their chance of falling victim to a damaging data breach, according to Verizon Enterprise Solutions.
The IT services giant examined results from thousands of PCI assessments conducted by its global team of PCI Qualified Security Assessors (QSAs), in order to compile its 2015 PCI Report, due out in February.
Selected findings released this week revealed that fewer than one-third of those businesses analyzed were still fully compliant less than a year after being certified by Verizon.
Two key areas where firms are failing to keep up with the strict requirements of the PCI DSS are regular testing of security systems and properly maintaining firewalls, the vendor said.
The findings are all the more surprising given that the report mainly focused on Fortune 500 and large multinational firms.
It also claimed that, of all the data breach incidents studied, none of the firms involved were fully compliant with PCI DSS at the time of the breach – highlighting the value of the standard.
As well as putting in place safeguards to prevent cyber attacks, organizations must also prepare for the possibility that they will fall victim, Verizon said.
A considered response should include steps to mitigate the impact of any breach, restore cyber defenses and resume normal operations as soon as possible, it added.
The findings chime with the Payment Card Industry Security Standards Council’s focus in version 3.0 of the standard, which came fully into force on 1 January 2015.
Here it has tried to convey the message that organizations need a “structured, predictable, and continuous approach” which will “make payment security business-as-usual.”
Ciske van Oosten, Verizon’s global intelligence manager for Payment Security Solutions, argued that many organizations still think primarily about implementing controls solely for compliance purposes.
“This is not so much the result of a ‘tick-box’ mentality where the focus is on compliance instead on effective data protection. For many, if not most organizations, the understanding of exactly how they should go about achieving data protection and compliance in a ‘business as usual’ manner is not clear at all,” he told Infosecurity.
“It is a matter of education, understanding and insight – and the willingness to learn from peers, gaining insight from the experience of organizations within their vertical industry.”
The problem is compounded because many firms simply don’t have the in-house skills and experience needed to implement an information security management system that is “sustainable and resilient,” he added.
Whether PCI DSS 3.0 encourages a more holistic approach to payment security depends on how organizations interpret the new requirements, which in turn is based on “the support which security and compliance teams receive internally.”