Verizon: PCI-Compliant Businesses See Fewer Data Breaches

An analysis of PCI DSS audits by Verizon revealed PCI-compliant businesses are less likely to experience data breaches than those that aren't.

Compliance regulations may not be a perfect gauge for security, but a new report from Verizon Business underscores how important they can be.

In the "Verizon Payment Card Industry Compliance Report [PDF]," the company analyzes compliance with the Payment Card Industry Data Security Standard (PCI DSS), and how it relates to data breaches. According to the report, breached organizations are 50 percent less likely to be PCI-compliant than a "normal population of PCI clients." Just 22 percent of organizations were PCI-compliant at the time of their initial examination.

"To ensure security, you need a layered approach," said Jen Mack, director of Global PCI Consulting Services at Verizon. "There is not a single magic bullet solution or product that will solve PCI needs or prevent breaches, but a layered and continually enforced approach to security is the best way to prevent breaches."

The report is based on findings from approximately 200 PCI DSS assessments conducted by Verizon, mostly in the United States during 2008 and 2009. By coupling PCI assessment data with the post-breach analysis, Verizon ranked the top attack methods used to compromise payment card data: malware and hacking (25 percent), SQL injections (24 percent), and exploitation of default or guessable credentials (21 percent).

Of the 12 PCI DSS requirements, three of them-protect stored data, track and monitor access to network resources and cardholder data, and regularly test security systems and processes-address areas most vulnerable to security breaches, according to Verizon's 2010 Data Breach Investigations Report.

Still, PCI is a snapshot in time and therefore is not always a full view of an enterprise's security posture. There have been cases in the past where companies fell victim to data breaches in between annual audits despite having been found compliant in the previous assessment.

"Companies suck in their gut for inspection and then exhale once it's all over," said Wade Baker, director of risk intelligence at Verizon Business. "While annual assessments may not be an exact indicator of security, assessments do provide a best-case measure of a company's security, which is still useful. Furthermore, based on what I've seen, the yearly "sucking in of the gut" at least makes them think of things they otherwise would ignore. So, an annual-albeit temporary-tidying up is better than the constant erosion that would otherwise occur."

Seventy-eight percent of organizations were not compliant initially, but on average organizations meet 81 percent of the procedures required by PCI, the report found. Some 75 percent of the organizations meet at least 70 percent of the testing requirements; only 11 percent met less than half at the time of their initial review.

"[Organizations should] find a way to incorporate PCI DSS requirements into your overall security initiatives and programs so that compliance becomes part of your daily business activities," Mack said. "Also, if you don't know where to start, you can use the Prioritized Approach released by the PCI Security Standards Council: It provides a risk-based approach on which requirements to tackle first. The overall goal is to reduce the most amount of risk up front to cardholder data."