Businesses failing to comply with payment card security, finds report

For the second year in a row, a Verizon report has found businesses are struggling to comply with payment card security standards, putting consumers’ confidential information at risk.

According to the Verizon Payment Card Industry Compliance Report, most businesses that accept credit or debit cards, or both, continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). As a result, they are at greater risk of losing confidential customer information and falling victim to credit-card fraud. 

Businesses are failing to maintain compliance even though they face steep penalties, including fines and increased transaction fees from the credit card brands, said Verizon. Businesses also now face pressure from their partners and customers to demonstrate continued compliance.

In addition to analysing the overall current state of compliance with the PCI DSS, the report examines how well organisations comply with the 12 specific PCI requirements and provides recommendations organisations can implement to help them earn and maintain compliance.

“We had hoped to see more organisations complying with the PCI standard, since we believe compliance will ultimately improve the security posture of organisations and in all likelihood lead to fewer breaches,” said Wade Baker, director of risk intelligence, Verizon. “By reviewing this report, organisations can see where to focus their efforts and implement our recommendations for helping to accelerate PCI compliance. Our end goal is a safer credit-card environment for consumers and businesses.”

The report is based on findings from more than 100 PCI DSS assessments conducted by Verizon’s team of PCI Qualified Security Assessors in 2010, as well as data gathered by Verizon’s Investigative Response group while investigating real-world payment card data breaches. Additionally, the Verizon Risk Intelligence team overlaid the assessment findings with data-breach cases from the 2011 Verizon Data Breach Investigations Report.

The assessments include data from organisations based in the US, Europe and Asia, representing for the first time the global nature of the PCI standard, said Verizon.

Key Findings

Top findings from the 2011 Verizon Payment Card Industry Compliance Report include:  

·         While the compliance situation has neither worsened nor improved, it is still disappointing. Only 21% of organisations were fully compliant during the initial audit. The report notes the difficulty in achieving compliance along with overconfidence, complacency and the need to focus on other compliance and security issues are among the possible reasons for the widespread PCI noncompliance

·         Lack of PCI compliance continues to be linked to data breaches. The report demonstrated again this year breached organisations are more likely to not be PCI compliant and are more likely to suffer from identity theft and fraud issues

·         Organisations struggle with key PCI requirements. Organisations struggled the most to comply with requirements three (protect stored cardholder data), 10 (track and monitor access), 11 (regularly test systems and processes), and 12 (maintain security policies), all of which are directly linked to protecting cardholder data

·         Failure to prioritise compliance efforts often means high-risk security threats are ignored. Launched in 2009, the Prioritised Approach was created to help organisations identify and reduce risk to cardholder data and to ease the annual PCI process. The report found rather than using a risk-based approach to PCI compliance, organisations instead rely on the PCI DSS for guidance. As a result, many organisations are ignoring security threats with the highest risk and potential for the largest negative impacts

·         PCI standard offers protection against the most common attack methods. Malware and hacking are the most predominant methods used to gain access to cardholder data. Several overlapping PCI requirements are aimed at protecting against these attack methods. 

Recommendations for meeting compliance

Based on extensive analysis, Verizon offers the following recommendations to help organisations meet their PCI compliance goals:

·         Treat compliance as an everyday, ongoing process. Compliance requires continuous adherence to the standard. This means a daily log review, weekly file-integrity monitoring, quarterly vulnerability scanning and annual penetration testing. To achieve this, Verizon recommends an internal PCI champion ensures compliance becomes part of daily business activities

·         Self-validate very carefully – or not at all. Level 1 and 2 merchants – who process the highest volumes of cardholder transactions – are allowed to assess themselves against the standard. Due to the numerous issues and conflicts of interest this can cause, Verizon highly recommends an objective third party validate the scope of the assessment or perform the testing

·         Prepare to have the bar raised. In October 2010, the PCI Security Standards Council announced PCI DSS version 2.0. This version requires a more stringent executive summary and validation of methodology for scope definition. Organisations, many of which are having severe issues complying with the existing standards, need to quickly get ready for the new version

Additional findings and recommendations are available in the full report, which can be downloaded at http://www.verizonbusiness.com/go/2011pci/us. In addition to the report, Retail Times readers can access all report resources by visiting the Verizon PCI Report Resource Center.