Most Organizations Slipping Out of PCI Compliance Within a Year: Survey

A Verizon Business report found that organizations that have been validated as being PCI-DSS compliant are no longer meeting standards a year later.

Retailers and merchants are still falling short of payment card security requirements, according to a new report.

The latest Payment Card Industry Compliance Report found that a majority of small businesses in the United States, Europe and Asia have fallen short of maintaining compliance with the Payment Card Industry Data Security Standard (PCI-DSS), Verizon Business said Sept. 28. The compliance situation has "neither worsened nor improved," but the results are still "disappointing," the report's authors wrote.

Of the 100 organizations that had been evaluated and validated by Verizon Business in the 2010 report as meeting PCI-DSS requirements, more than 75 percent are no longer compliant, the report found. The organizations had slipped out of compliance over the year, making them vulnerable to cyber-attacks.

There is a glimmer of good news. The report did not find any evaluated organizations that had regressed to having no security at all, but that they were missing some elements. For an organization to be able to claim to be PCI-compliant, it has to score 100 percent on the audit. The report found that 21 percent scored 100 percent and 37 percent 90 percent or higher, meaning that more than half scored 90 percent or better.

"We had hoped to see more organizations complying with the PCI standard, since we believe that compliance will ultimately improve the security posture of organizations and in all likelihood lead to fewer breaches," said Wade Baker, director of risk intelligence at Verizon Business and chief author of the report.

The basic requirements include using firewalls and antivirus, implementing strong passwords and access control, protecting the database, encrypting cardholder data when transmitted across public networks, restricting physical access to data, tracking all activity and regularly testing systems and processes.

Organizations appear to have the hardest time with the requirement of protecting stored data, followed by regularly testing security systems and processes, and maintaining security policies, according to the report. About 42 percent of organizations had trouble encrypting data in the database or implementing a proper key management strategy to keep the information safe. Not conducting regular risk assessments meant the companies were not aware when they were no longer compliant.

"The report demonstrated again this year that breached organizations are more likely not to be PCI compliant and are more likely to suffer from identity theft and fraud issues," Baker wrote in the report.

In contrast, organizations were able to comply with the "encrypt transmissions over public networks" requirement, "use and update antivirus," and "restrict access to need-to-know," the report found. More than half of the organizations were also able to meet the "restrict physical access" requirement.

Compliance needs to be an "everyday, ongoing process," and organizations need "continuous adherence" to the standard, the report found. Organizations need a daily log review, weekly file-integrity monitoring, quarterly vulnerability scanning and annual penetration testing, according to the report.

Some regions are doing better than others, such as the United Kingdom, Germany and France, but countries in the Asia-Pacific market are struggling with the requirements. In addition, many merchants and financial institutions in the United States are not adequately implementing layered security measures, the report found.

PCI-DSS is industry-specific, but Verizon did include some federal agencies that handle credit card information in its report. Developed by the Payment Card Industry's Security Standards Council in 2005, PCI-DSS applies to all organizations that use or store cardholder data. The council announced an update to the standard last October, which has more stringent requirements.

"Prepare to have the bar raised," Baker wrote.