The vast majority of companies continue to fall short of complying with the Payment Card Industry Data Security Standard during their initial audit, with 79% failing and 21% getting a passing grade, contends a report Verizon Communications Inc. released Sept. 28.
The second annual Verizon Payment Card Industry Compliance Report found only a slight improvement in overall compliance with PCI requirements to protect against fraud compared with a year ago.
Verizon, which performs PCI compliance audits worldwide, deemed the results “disappointing.”
“Difficulty in achieving compliance, along with overconfidence, complacency and the need to focus on other compliance and security issues, are among the possible reasons for the widespread PCI noncompliance,” Verizon said in a press release.
Verizon gathered the data from PCI assessments its team of qualified security assessors conducted throughout 2010 and through fraud-incident reports. The assessment covered a “wide variety” of organizations, including merchants and service providers. The majority of companies examined were in the U.S. (60%), followed by Europe (30%) and Asia (5%).
During initial audits, organizations complied with an average of 78% of PCI data-security standards, Verizon reported. Some 60% of organizations initially complied with 80% of data-security requirements, while about 20% initially complied with fewer than half of the data-security standards.
Among the 12 specific PCI data-security requirements, those that caused the most trouble for organizations were protecting stored cardholder data, tracking and monitoring data access, regularly testing systems and processes, and maintaining security policies, the report said.
Companies most often complied with PCI requirements for encrypting data-transmissions over public networks, using and updating anti-virus technologies, restricting data-access only to those organization members who need to know it and restricting physical access to data.
In many cases, organizations do not appear to set appropriate priorities for data-security efforts based on the PCI Security Standards recommendations, the report noted.
Maintaining compliance is an ongoing task, Jen Mack, director of global PCI services for New York-based Verizon, tells ISO&Agent Weekly.
“PCI compliance should be more like a marathon, where you plan for it over a long period of time, rather than a sprint where you rush out and prepare for an audit immediately beforehand and assume you’re going to be in good shape for the long run,” she says.
To auditors’ frustration, many organizations continue to handle PCI compliance “on a project basis” instead of integrating data security into business policies and processes year-round, Mack says.
But that is gradually changing, she notes.
“A growing number of companies are looking at the big picture on data security and integrating it into their operations, as we’re seeing from the growing participation and interest in data security from major international corporations that are setting the pace on this,” Mack says.
Mack disagrees with certain recent criticism that PCI is a “false god” that routinely fails to adequately protect against fraud and that it is difficult for companies to remain in compliance. She also notes that authentication is “becoming more of a priority” to data-security efforts, but she did not offer specifics.
Moreover, most companies that fall short of full PCI compliance typically achieve full compliance “relatively easily, within a week or a few months,” Mack says. “Most new software is relatively easily adaptable to PCI standards.”
The difficulty for many companies comes in adapting legacy software to newer systems and technologies, Mack suggests.
But even then, “once you’re in compliance you’re unlikely to fall out of compliance randomly,” Mack says.
Despite the relatively low percentage of companies that are in full compliance during initial audits, companies are getting better at achieving PCI compliance, and that helps to prevent fewer data breaches, the Verizon data show.
“We’re seeing improvement in overall compliance, despite the data on how companies are performing on their initial audits. And according to our data, every fraud threat or action is covered by one or more PCI data-security requirements,” she says. “It’s clear the standards provide protection for card data if organizations implement them correctly and maintain them throughout the year.”
