A Verizon Business report found that organizations that have been validated as being PCI-DSS compliant are no longer meeting standards a year later.
Retailers
and merchants are still falling short of payment card security requirements,
according to a new report.
The
latest Payment Card Industry Compliance Report found that a majority of small
businesses in the United States, Europe and Asia have fallen short of
maintaining compliance with the Payment Card Industry Data Security Standard (PCI-DSS),
Verizon Business said Sept. 28. The compliance situation has "neither
worsened nor improved," but the results are still
"disappointing," the report's authors wrote.
Of
the 100 organizations that had been evaluated and validated by Verizon Business
in the 2010 report as meeting PCI-DSS requirements, more than 75 percent are no
longer compliant, the report found. The organizations had slipped out of
compliance over the year, making them vulnerable to cyber-attacks.
There
is a glimmer of good news. The report did not find any evaluated organizations
that had regressed to having no security at all, but that they were missing
some elements. For an organization to be able to claim to be PCI-compliant, it
has to score 100 percent on the audit. The report found that 21 percent scored
100 percent and 37 percent 90 percent or higher, meaning that more than half
scored 90 percent or better.
"We
had hoped to see more organizations complying with the PCI standard, since we
believe that compliance will ultimately improve the security posture of
organizations and in all likelihood lead to fewer breaches," said Wade Baker,
director of risk intelligence at Verizon Business and chief author of the
report.
The
basic requirements include using firewalls and antivirus, implementing strong
passwords and access control, protecting the database, encrypting cardholder
data when transmitted across public networks, restricting physical access to
data, tracking all activity and regularly testing systems and processes.
Organizations
appear to have the hardest time with the requirement of protecting stored data,
followed by regularly testing security systems and processes, and maintaining
security policies, according to the report. About 42 percent of organizations
had trouble encrypting data in the database or implementing a proper key
management strategy to keep the information safe. Not conducting regular risk
assessments meant the companies were not aware when they were no longer
compliant.
"The
report demonstrated again this year that breached organizations are more likely
not to be PCI compliant and are more likely to suffer from identity theft and
fraud issues," Baker wrote in the report.
In
contrast, organizations were able to comply with the "encrypt
transmissions over public networks" requirement, "use and update
antivirus," and "restrict access to need-to-know," the report
found. More than half of the organizations were also able to meet the
"restrict physical access" requirement.
Compliance
needs to be an "everyday, ongoing process," and organizations need
"continuous adherence" to the standard, the report found.
Organizations need a daily log review, weekly file-integrity monitoring,
quarterly vulnerability scanning and annual penetration testing, according to
the report.
Some
regions are doing better than others, such as the United Kingdom, Germany and
France, but countries in the Asia-Pacific market are struggling with the
requirements. In addition, many merchants and financial institutions in the
United States are not adequately implementing layered security measures, the
report found.
PCI-DSS
is industry-specific, but Verizon did include some federal agencies that handle
credit card information in its report. Developed by the Payment Card Industry's
Security Standards Council in 2005, PCI-DSS applies to all organizations that
use or store cardholder data. The council announced an update to the standard
last October, which has more stringent requirements.
"Prepare
to have the bar raised," Baker wrote.
Email
Print
