Verizon PCI DSS report a wake-up call, says PCI Security Standards Council

Verizon's payment card industry data security standard (PCI DSS) compliance report should be a wake-up call for business, says industry body

The latest Verizon report on compliance with the payment card industry data security standard (PCI DSS) should be a wake-up call for businesses, said the body that administers the standard.

With more than two-thirds of all purchases made with payment cards and $20tn in credit card transactions expected in 2015, security has become a top priority for organisations that accept credit cards.

Yet nearly 80% of businesses fail their interim PCI compliance assessment, leaving them vulnerable to cyber attacks, according to Verizon’s 2015 PCI Compliance Report.

The report also showed only 29% of companies remain fully compliant with the PCI DSS standard less than a year after being awarded their compliance certificate.

However, almost twice as many companies were validated as compliant during their interim compliance review in 2014 compared with 2013.  

Between 2013 and 2014, compliance increased for 11 of the 12 PCI DSS controls. The average increase in compliance was 18%.

The biggest jump in compliance was in authenticating access. The only area where compliance fell was testing security systems, which dropped from 40% to 33%.

Read more about PCI DSS

Low compliance in data breach firms

“The report is an important document that should serve as a wake-up call for every business that cares about payment security,” said Stephen Orfei, general manager of the PCI Security Standards Council (PCI SSC).

He said that, although there is progress in many key areas in protecting payment card data, the report shows there remains a long way to go.

“Cyber attacks are on the rise, and too many companies do not make payment security an all-day, every-day priority,” said Orfei.    

Verizon’s cyber security research has consistently found that, since 2009, organisations suffering a data breach showed lower-than-normal compliance with a number of PCI DSS controls.

Loss of customer trust

“This report reinforces what the PCI Security Standards Council has been promoting for years – payment security must be a top higher priority for the business community.” said Orfei.

According to Verizon, companies can better manage their brand, ensure consumer trust and avoid hefty fees by reducing the likelihood of a breach.

One of the biggest negative effects of data breaches is the loss of customer trust; studies show 69% of consumers are less inclined to do business with an organisation that has been breached.

“Compliance at a point in time isn’t sufficient to protect data because today’s cyber security landscape is constantly changing,” said Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions.

“Putting the focus on making compliance sustainable is key. It must be a part of day-to-day activities in an organisation’s greater security strategy,” he said.

Three key areas of concern

The report shows organisations commonly fall out of compliance in three key areas:

  1. Testing security systems regularly;
  2. Maintaining secure systems;
  3. Protecting stored data.

“Often an organisation’s approach to PCI security is to focus on passing the annual compliance assessment. But this is just the start of a vigilant, proactive security program. Only a combination of people, process and technology, and a focus on making security a ‘business-as-usual’ practice, will help thwart these constant threats,” said Orfei.

Of all the data breaches studied, Verizon’s findings show that not a single company was fully PCI DSS compliant at the time of the breach.

“Another troubling trend from this year’s report is that data security is still inadequate," said Simonetti.

“The volume and scale of data breaches in the past 12 months is proof that current security techniques are not stopping attackers – in many cases they aren’t even slowing them down.”

Risk-management strategy

According to Simonetti, PCI DSS compliance must be viewed as part of a comprehensive information security and risk-management strategy.

“A PCI DSS assessment can uncover important security gaps that should be fixed, but it is not a guarantee that the data is safe from a cyber attack,” he said.  

This year’s report covers three years of data from PCI assessments, conducted by Verizon’s team of PCI Qualified Security Assessors for large multinational firms in more than 30 countries. 

The report includes an in-depth analysis of each of the 12 PCI requirements and examines compliance against the version 3.0 and the soon-to-be-released version 3.1.

How companies fall out of PCI DSS compliance

The 2015 report includes details of how and where companies fall out of compliance once achieved, and recommendations on how to make compliance easier and how to remain compliant.

“2015 is a pivotal year for payment card security as the US transitions to EMV Chip technology, and this report hopefully will bring attention to the many critical issues that companies need to consider during this important time,” said Orfei. 

“There is no silver bullet to security or preventing breaches.  But by establishing a multi-layered approach that includes vigilance in monitoring and managing access, proactively strengthening security at the point-of-sale, and actively preparing to meet new threats, businesses can significantly reduce the types of risks that have enabled recent breaches.” 

To help educate organisations struggling with implementing and maintaining proper security measures to detect and mitigate malware attacks, the PCI SSC is to host a webinar on how to defend against Backoff malware aimed at point of sale systems.

The webinar will be held in collaboration with the Visa Payment System Cyber Intelligence Team on 26 March 2015 at 1700 GMT

Read more on Privacy and data protection