PCI DSS Compliance Does Not Mean Companies Are Secure From Breaches

An upcoming Verizon report shows companies dive into PCI compliance, but then they don't follow up, rendering their systems open to future breaches. This must change, according to Verizon.

Verizon data breach study

NEW YORK—An upcoming Verizon report on mobile and retail security and Payment Card Industry Data Security Standard (PCI DSS) compliance shows that many companies fall out of compliance once they finish their projects, leaving security holes that then lead to future data breaches and data loss that could have been prevented.

"Most customers still see compliance as a project for two or three months," said Rodolphe Simonetti, the director of compliance and governance professional services for Verizon. "Where customers failed is in maintaining compliance" once the projects are completed because they don't continue to work on the systems.

Simonetti made his comments on Jan. 12 at a Verizon press event here during the National Retail Federation conference, where he spoke during a panel discussion on PCI compliance at the Ink48 hotel in Manhattan.

Simonetti was summarizing data from an upcoming annual Verizon PCI Report, which shows that companies are still struggling with properly implementing and maintaining PCI DSS compliance inside their corporate systems, he said.

The report, due out at the end of February, looked at more than 5,000 company security assessments in some 30 countries around the world over the last five years, focusing on mostly Fortune 500 companies. The results of the analysis were striking, he said, including the finding that not a single company that suffered a security breach in 2014 was in compliance with existing PCI DSS at the time of the breach.

"Most companies are really and definitely failing to maintain compliance," said Simonetti. "It was astonishing."

The data in the report showed that less than a third of the companies remained in compliance with PCI DSS after six months, he said. "That's a very, very low number. Becoming compliant is tough, but staying compliant is a bigger challenge."

Interestingly, the areas in which companies failed to maintain PCI DSS compliance over time were the areas in which Simonetti said he would have expected them not to fail in the first place, such as maintaining firewalls, patching systems, and regularly scheduled security and vulnerability testing.

"I would think this is Security 101," he said. "But, still, a lot of companies are failing to maintain this very basic security."

The problem often is that some companies look at PCI compliance as a yearly project, rather than as an ongoing process to support security, he said. "You will never be able to be 100 percent secure," he said. "What is important, then, is to be resilient, to make sure that the impact of the breach is not that bad. Some do a lot to make sure it doesn't happen, but they fail to react quickly if it does."

Greg Buzek, principal analyst of retail and hospitality analyst firm, IHL Group, said that for most companies, the answer to the problem of PCI DSS compliance is that credit card security must entail a multi-pronged approach today that also includes data encryption and tokenization.

"Honestly, PCI [DSS] is the Y2K that never ends," said Buzek. Companies often today have compliance letters from security companies that were produced just before they were battered by data thieves, he said. "They had letters saying they were compliant. That's the challenge when it only protects the card" and not the data. "That's why it is better to have encryption and tokens because then the cards are worthless" if they are stolen.