Payment Card Security Compliance Remains Problematic: Verizon Report

While the compliance situation has neither worsened nor improved, it is still "disappointing," according to the report.

For the second year in a row, a Verizon report has found that too many businesses are struggling to comply with payment card security standards, putting consumers' confidential information at risk. According to the company's Payment Card Industry Compliance Report, most businesses that accept credit or debit cards, or both, continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). The report concluded, as a result, they are at greater risk of losing confidential customer information and falling victim to credit card fraud.

While the compliance situation has neither worsened nor improved, it is still "disappointing." Only 21 percent of organizations were fully compliant during the initial audit, and the report noted that the difficulty in achieving compliance, along with overconfidence, complacency and the need to focus on other compliance and security issues are among the possible reasons for the widespread PCI noncompliance. The report suggested again this year that breached organizations are more likely not to be PCI compliant and are more likely to suffer from identity theft and fraud issues.

Organizations struggled the most to comply with requirements 3 (protect stored cardholder date), 10 (track and monitor access), 11 (regularly test systems and processes), and 12 (maintain security policies), all of which are directly linked to protecting cardholder data. Launched in 2009, the Prioritized Approach was created to help businesses identify and reduce risk to cardholder data and to ease the annual PCI process. The report found that rather than using a risk-based approach to PCI compliance, organizations instead rely on the PCI DSS for guidance.

"We had hoped to see more organizations complying with the PCI standard, since we believe that compliance will ultimately improve the security posture of organizations and in all likelihood lead to fewer breaches," said Wade Baker, director of risk intelligence for Verizon. "By reviewing this report, organizations can see where to focus their efforts and implement our recommendations for helping to accelerate PCI compliance. Our end goal is a safer credit-card environment for consumers and businesses."

In addition to analyzing the overall current state of compliance with the PCI DSS, the report examines how well organizations comply with the 12 specific PCI requirements and provides recommendations that organizations can implement to help them earn and maintain compliance. The report is based on findings from more than 100 PCI DSS assessments conducted by Verizon's team of PCI Qualified Security Assessors in 2010, as well as data gathered by Verizon's Investigative Response group while investigating real-world payment card data breaches. The Verizon Risk Intelligence team also overlaid the assessment findings with data-breach cases from the 2011 Verizon Data Breach Investigations Report, and the assessments include data from organizations based in the United States, Europe and Asia.