Many businesses which accept credit card payments are facing problems with compliance, which raises the spectre of security breaches, according to the Verizon 2014 payment card industry (PCI) compliance report.
The report said that in most cases the main issue was implementation and not a failure of security technology. Compliance with the PCI security standard was not as big an issue as implementation of appropriate compliance and security measures as intended according to the report.
Verizon Enterprise Solutions managing director PCI practice, Rodolphe Simonetti, said “We continue to see many organizations viewing PCI compliance as a single annual event, unaware that compliance needs to have a 365 day-a-year focus.”
According to the report, initial compliance with the PCI standard had shown some improvement. In 2013 over 82 per cent of organisations were compliant with at least 80 per cent of the PCI standard when their annual baseline assessment was completed. This was compared with 32 per cent the previous year.
Breach notification laws alongside varying legal requirements and levels of adoption contributed to regional differences in the results according to Verizon. The Asia-Pacific region had the highest level of compliance, followed by the United States and Europe.
The areas where businesses struggle the most in achieving initial compliance include: security testing (23 per cent); security monitoring and the ability to effectively detect and respond to compromised data (17 per cent); and protecting stored sensitive data (55 per cent).
Simonetti said any less that 100 per cent compliance is an issue.
“We have seen time and time again that noncompliance leaves an organization open to credit card theft, which can potentially cost hundreds of millions of dollars,” he said.
The report examined in detail how organisations comply with each of the twelve specific PCI requirements and provided recommendations that companies could implement to improve compliance.
Verizon claims the report is based on case work undertaken by its team of PCI qualified security assessors from 2011 to 2013.