PCI DSS Compliance Is Low but Shows Improvement: Verizon
A new survey shows a small percentage of companies comply fully with PCI DSS 2.0 requirements while a large percentage are "mostly compliant."Compliance with the Payment Card Industry Data Security Standard (PCI DSS)—a key requirement for organizations that process and handle electronic payments—is low but improving, according to the findings of a new study from Verizon. Although just 11.1 percent of the companies surveyed were fully compliant with all the requirements of the PCI DSS 2.0 standard in 2013, that figure is actually an increase of 3.6 percentage points from 2012. "Only 11 percent of the companies we met were compliant during the first assessment, meaning that 89 percent of organizations were not initially compliant," Rodolphe Simonetti, managing director, PCI practice, Verizon Enterprise Solutions told eWEEK. Although a small percentage of companies are fully compliant with PCI DSS, many are what Simonetti referred to as "mostly compliant," or 80 percent or more compliant with the PCI DSS specifications. According the Verizon study, only 32 percent of companies were mostly compliant in 2012, a figure that grew to 82 percent in 2013.
The main challenge with PCI compliance is that most organizations have been viewing it as a project to be completed and not as an everyday process, Simonetti said. "What is critical is to maintain compliance day after day, because once the assessment is done, the risk is not going away," he said. "What we have seen from the last five years of security breaches is that most companies, even if they were at one point PCI-compliant, were not compliant at the time of the breach."