Menu
Maintaining PCI compliance is a big challenge for most companies

Maintaining PCI compliance is a big challenge for most companies

Many tend to treat compliance as a lone annual event, leaving them vulnerable, Verizon says

A majority of companies that achieve annual compliance with the Payment Card Industry Data Security Standard (PCI DSS) fail to then maintain that status. As a result, they often remain exposed to potential data breach risks and other security threats, Verizon said in a report this week.

Verizon's report is based on the results of annual PCI compliance assessments the company performed at more than 500 large organizations between 2011 and 2013. The results are based on actual compliance data gathered from companies in the retail, financial services, travel and hospitality sectors and other vertical markets.

The analysis showed that barely 11.1% of enterprises maintained their compliance status between each assessment.

More than 82% were compliant with only about eight in 10 PCI DSS requirements at the time of their annual assessments and needed an additional three months or so to close the gaps, said Rodolphe Simonetti, managing director, PCI practice for Verizon Enterprise Solutions.

The problem has to do with a tendency by many companies to treat PCI compliance as an annual end goal rather than treating it as part of a continuous risk management effort.

"Too many companies still look at PCI as pure compliance and don't use it to mitigate risk," Simonetti said. "Often, compliance is managed as a project -- particularly as the build phase of a project." Once compliance is achieved, many companies simply stop paying attention, he said.

"It is really a failure to use compliance standards and tools and a day to day basis," Simonetti said.

The areas where many companies appear to have particular problems involve PCI requirements on protecting data at rest, security testing and monitoring security controls and detecting and responding to compromises, he said. More than half of the companies assessed failed compliance requirements for protecting data at risk in their initial annual compliance assessments.

The recent data breach at Target that exposed data on more than 40 million debit and credit cards has focused considerable attention on PCI standards and compliance issues in general.

Target, like many others before it, has noted that it was breached despite achieving compliance with all PCI requirements. The implication is that the standard does little to protect companies against new and sophisticated threats.

But the reality is that "most breaches are not a failure of the technology or standards but rather a failure to implement the standards," according to Simonetti.

A lack of resources and manpower continue to be major roadblocks to ongoing PCI compliance at many companies, which often reassign staff to other projects once they have passed their annual security audit.

Under PCI rules, large companies such as Target are required to conduct quarterly vulnerability scans to check for threats to payment card data. But companies then fail to take the requirement in the spirit it was intended and fail their quarterly scans, Simonetti said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsecurityVerizon Enterprise SolutionsMalware and Vulnerabilities

Featured

Slideshows

Examining the changing job scene in the Kiwi channel

Examining the changing job scene in the Kiwi channel

Typically, the New Year brings new opportunities for personnel within the Kiwi channel. 2017 started no differently, with a host of appointments, departures and reshuffles across vendor, distributor and reseller businesses. As a result, the job scene across New Zealand has changed - here’s a run down of who is working where in the year ahead…

Examining the changing job scene in the Kiwi channel
​What are the top 10 tech trends for New Zealand in 2017?

​What are the top 10 tech trends for New Zealand in 2017?

Digital Transformation (DX) has been a critical topic for business over the last few years and IDC is now predicting a step change as DX reaches macroeconomic levels. By 2020 a DX economy will emerge and it will become the core of what New Zealand industries focus on. From the board level through to the C-Suite, Kiwi organisations must be prepared to think and act digital when the DX economy emerges in 2017.

​What are the top 10 tech trends for New Zealand in 2017?
Top 15 Kiwi tech storylines to follow in 2017

Top 15 Kiwi tech storylines to follow in 2017

​The New Year brings the usual new round of humdrum technology predictions, glaringly general, unashamedly safe and perpetually predictable. But while the industry no longer sees value in “cloud is now the norm” type projections, value can be found in following developments of the year previous, analysing behaviours and patterns to formulate a plan for the 12 months ahead. Consequently, here’s the top Kiwi tech storylines to follow in 2017...

Top 15 Kiwi tech storylines to follow in 2017
Show Comments