Full compliance with the Payment Card Industry’s Data Security Standard (PCI DSS) remains very low, a study of hundreds of assessments around the globe has revealed.
Despite an increase of 3.6% in the past year, only 11.1% of organisations that accept card payments complied fully with the PCI DSS in 2013, according to the latest report from Verizon.
This means most organisations remain at high risk of data breaches and associated financial and reputational damage, with payment card transactions a prime target for cyber fraudsters.
However, the report notes most payment card data breaches are not a failure of security technology or of compliance with the PCI DSS, but a failure to implement appropriate measures, as intended.
“Many organisations view PCI compliance as an annual event, rather than an ongoing process,” said Kim Haverblad, northern Europe professional services manager, PCI Practice at Verizon Enterprise Solutions.
“But on a more positive note, compliance with the PCI standard has shown some improvement.
“In 2013, 82% of organisations were compliant with at least 80% of the PCI standard, up from only 32% in 2012, but it is not all good news.”
Europe lags behind
Read more about PCI DSS
The Verizon 2014 PCI Compliance Report also shows regional differences, with European businesses lagging far behind the rest of the world in card payment security.
Only 31% of European businesses were found to be meeting 80% or more of the PCI requirement on an ongoing basis, compared with 75% in Asia-Pacific and 56% in the US.
This is due to varying legal requirements – such as data breach notification laws – and varying levels of PCI DSS adoption, said Haverblad, one of the report’s co-authors.
According to the report, areas where businesses struggle the most in achieving initial compliance include security testing (23.8%); the ability to detect and respond to data compromises (17%); and protecting stored sensitive data (55.6%).
“Outsourcing some of the more technical aspects can help organisations improve their PCI compliance and level of security, as long as they ensure their suppliers adhere to the framework,” said Haverblad.
“While operations can be outsourced, organisations can never outsource responsibility and remain accountable for the security of card payment data.”
The report examines how well organisations comply with each of the 12 specific PCI requirements and provides guidelines on how to achieve and maintain compliance.
The report also explains how non-compliance with each of the requirements can lead to a data breach.