PCI DSS Compliance Is Low but Shows Improvement: Verizon

A new survey shows a small percentage of companies comply fully with PCI DSS 2.0 requirements while a large percentage are "mostly compliant."

electronic payments

Compliance with the Payment Card Industry Data Security Standard (PCI DSS)—a key requirement for organizations that process and handle electronic payments—is low but improving, according to the findings of a new study from Verizon.

Although just 11.1 percent of the companies surveyed were fully compliant with all the requirements of the PCI DSS 2.0 standard in 2013, that figure is actually an increase of 3.6 percentage points from 2012.

"Only 11 percent of the companies we met were compliant during the first assessment, meaning that 89 percent of organizations were not initially compliant," Rodolphe Simonetti, managing director, PCI practice, Verizon Enterprise Solutions told eWEEK.

Although a small percentage of companies are fully compliant with PCI DSS, many are what Simonetti referred to as "mostly compliant," or 80 percent or more compliant with the PCI DSS specifications. According the Verizon study, only 32 percent of companies were mostly compliant in 2012, a figure that grew to 82 percent in 2013.

The main challenge with PCI compliance is that most organizations have been viewing it as a project to be completed and not as an everyday process, Simonetti said. "What is critical is to maintain compliance day after day, because once the assessment is done, the risk is not going away," he said. "What we have seen from the last five years of security breaches is that most companies, even if they were at one point PCI-compliant, were not compliant at the time of the breach."

Organizations may have a hard time meeting Requirement 7 of the specification, which mandates that they perform security testing; Requirement 11, which stipulates the need for security monitoring; and requirement 3, which concerns protecting stored data, Simonetti explained.

Requirement 11 can be challenging because it requires the use of log management or Security Incident and Event Management (SIEM) technologies, Simonetti said. The testing requirement asks organizations to do yearly penetration testing and quarterly vulnerability scans.

"It's common sense, and still a lot of companies are failing," Simonetti said.

To improve security compliance, companies need to properly allocate resources such as people, money and time, Simonetti said, adding that compliance should remain a year-round, continuous effort and not a point-in-time initiative.

PCI DSS compliance should also be viewed in the wider context of an overall security program and not a stand-alone effort, and organizations should leverage compliance as an opportunity, Simonetti said. "Compliance is not just about mitigating risk; it can also be about providing a return on investment," he said.

Stay focused, Simonetti advised. "PCI compliance contains about 300 controls, and it doesn't make sense to apply those controls to an entire IT environment. To make compliance easier, reduce the size of the task and focus on the part of the environment that needs to be segregated and then secured."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.