Did you know that most businesses that accept credit or debit cards, or both, continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). As a result, they are at greater risk of losing confidential customer information and falling victim to credit-card fraud.
About this time last year, we published the first Verizon PCI Compliance Report (PCIR). Like the original Verizon PCI Compliance Report, the new PCIR is chock-full of analysis and insights. Building upon the acclaimed Verizon Data Breach Investigations Report (DBIR) series, in the PCIR we take a hard look at payment card breaches and how PCI Data Security Standards are affecting the risk landscape.
In this report we attempt to answer the burning questions in the PCI community, such as:
• Is PCI really helping reduce risk and improve security?
• What’s the difference between security, compliance, and validation?
• What controls have the strongest inverse correlation with a data breach?
• Why do 44% of all breaches take over a year to be discovered?
Below you’ll find some key findings and some recommendations for your business to meet compliance to avoid steep penalties, including fines and increased transaction fees from the credit card brands.
Top findings from the 2011 Verizon Payment Card Industry Compliance Report include:
- While the compliance situation has neither worsened nor improved, it is still "disappointing." Only 21 percent of organizations were fully compliant during the initial audit. The report notes that the difficulty in achieving compliance, along with overconfidence, complacency and the need to focus on other compliance and security issues are among the possible reasons for the widespread PCI noncompliance.
- Lack of PCI compliance continues to be linked to data breaches. The report demonstrated again this year that breached organizations are more likely not to be PCI compliant and are more likely to suffer from identity theft and fraud issues.
- Organizations struggle with key PCI requirements. Organizations struggled the most to comply with requirements 3 (protect stored cardholder date), 10 (track and monitor access), 11 (regularly test systems and processes), and 12 (maintain security policies), all of which are directly linked to protecting cardholder data.
- Failure to prioritize compliance efforts often means high-risk security threats are ignored. Launched in 2009, the Prioritized Approach was created to help organizations identify and reduce risk to cardholder data and to ease the annual PCI process. The report found that rather than using a risk-based approach to PCI compliance, organizations instead rely on the PCI DSS for guidance. As a result, many organizations are ignoring security threats with the highest risk and potential for the largest negative impacts.
- PCI standard offers protection against the most common attack methods. Malware and hacking are the most predominant methods used to gain access to cardholder data. Several overlapping PCI requirements are aimed at protecting against these attack methods.
Recommendations for Meeting Compliance:
Based on extensive analysis, Verizon offers the following recommendations to help organizations meet their PCI compliance goals:
- Treat compliance as an everyday, ongoing process. Compliance requires continuous adherence to the standard. This means a daily log review, weekly file-integrity monitoring, quarterly vulnerability scanning and annual penetration testing. To achieve this, Verizon recommends that an internal PCI "champion" ensure that compliance becomes part of daily business activities.
- Self-validate very carefully - or not at all. Level 1 and 2 merchants - who process the highest volumes of cardholder transactions --are allowed to assess themselves against the standard. Due to the numerous issues and conflicts of interest this can cause, Verizon highly recommends that an objective third party validate the scope of the assessment or perform the testing.
- Prepare to have the bar raised. In October 2010, the PCI Security Standards Council announced PCI DSS version 2.0. This version requires a more stringent executive summary and validation of methodology for scope definition. Organizations, many of which are having severe issues complying with the existing standards, need to quickly get ready for the new version.
Additional findings and recommendations are available in the full report, which can be downloaded at http://www.verizonbusiness.com/go/2011pci/us. In addition to the report, readers can access all report resources by visiting the Verizon PCI Report Resource Center.
You may also want to check out the 2011 PCI Compliance Report podcast with Jen Mack, director – PCI Consulting Services, and Wade Baker, director – Risk Intelligence.
Is your business compliant with PCI DSS?