-
Though some have criticized whether the Payment Card Industry data security standard does enough to protect card data, in Europe the standard has become a catalyst for getting companies to take security seriously.
September 28 -
The payment industry's focus on adding encryption at the point of sale to protect card data is counterproductive. MagTek's CEO says that the PCI Council, in pushing advanced encryption,is doing more harm than good.
September 27
The vast majority of companies continue to fall short of complying with the Payment Card Industry data security standard during their initial audit, with only 21% getting a passing grade.
The second annual Verizon Payment Card Industry Compliance Report, released Wednesday, found only a slight improvement in overall compliance with PCI requirements to protect against fraud compared with a year ago.
The PCI standard describes how companies that handle payment card data must protect it from exposure. Companies must regularly validate their compliance with an assessor such as Verizon.
In many cases, organizations do not appear to be appropriately prioritizing data-security efforts based on the PCI Security Standards recommendations. Maintaining compliance is an ongoing task, says Jen Mack, director of global PCI services for Verizon.
"PCI compliance should be more like a marathon, where you plan for it over a long period of time, rather than a sprint where you rush out and prepare for an audit immediately beforehand and assume you're going to be in good shape for the long run," she says.
To auditors' frustration, many organizations continue to handle PCI compliance "on a project basis" instead of integrating data security into business policies and processes year-round, Mack says.
But that is gradually changing, she says.
"A growing number of companies are looking at the big picture on data security and integrating it into their operations, as we're seeing from the growing participation and interest in data security from major international corporations that are setting the pace on this," Mack says.
Mack disagrees with
Most companies that fall short of full PCI compliance typically achieve full compliance "relatively easily, within a week or a few months," Mack says. "Most new software is relatively easily adaptable to PCI standards."
The difficulty for many companies comes in adapting legacy software to newer systems and technologies, Mack says.
But even then, "once you're in compliance you're unlikely to fall out of compliance randomly," Mack says.
During initial audits, organizations were in compliance with an average of 78% of the various PCI data-security standards, Verizon reported. Some 60% of organizations initially complied with 80% of data-security requirements, while about 20% initially complied with less than half of the data-security standards.
Among the 12 specific PCI data-security requirements, those that caused the most trouble for organizations were protecting stored cardholder data, tracking and monitoring data access, regularly testing systems and processes, and maintaining security policies, the report said.
Companies most often complied with PCI requirements for encrypting data-transmissions over public networks, using and updating anti-virus technologies, restricting data-access only to those organization members who need to know it and restricting physical access to data.
Despite the relatively low percentage of companies that are in full compliance during initial audits, companies are getting better at achieving PCI compliance, and that helps to prevent fewer data breaches, the Verizon report says.
"We're seeing improvement in overall compliance, despite the data on how companies are performing on their initial audits. And according to our data, every fraud threat or action is covered by one or more PCI data-security requirements," Mack says. "It's clear the standards provide protection for card data if organizations implement them correctly and maintain them throughout the year."
