New Report on PCI-DSS Compliance Finds Room for Improvement

Data breaches are increasingly common, with an estimated $11 billion in global credit-card fraud in 2012 alone. Yet according to a new report, many organizations still fail to take the necessary security measures to prevent the theft of payment card data by cybercriminals.

The Verizon 2014 PCI Compliance Report states that many companies face an increased risk of data breaches because they fail to maintain ongoing compliance with the Payment Card Industry Data Security Standard (PCI-DSS) rules. These rules are a set of voluntary international standards created to verify that merchants and service providers are appropriately protecting cardholder data. While overall compliance with the standards rose to more than 80% in 2013 — compared to just 32% in 2012 — only 11.1% were fully compliant, up from just 7.5% in 2012.

According to the report, most payment-card data breaches are the result of an inconsistent implementation of compliance measures. Unfortunately, the data shows that most companies focus on PCI-DSS — but only at the annual compliance validation assessment. It is this failure to fully integrate compliance measures into the day-to-day activities of the organization that presents the most significant barrier to full compliance.

An examination of the 12 specific PCI-DSS requirements found several noteworthy deficiencies in many compliance programs. Limiting access to personal cardholder information appears to be troublesome for many businesses, with 71% failing to meet PCI standards. Additionally, while properly managed logs are imperative for detecting the early warning signs of a cyber attack, 80.1% of companies had ineffective log-management policies. Other areas of concern include security testing (23.8% compliant); security monitoring and the ability to effectively detect and respond to a data breach (17% compliant); and protecting stored sensitive data (55.6% compliant).

The report recommends that businesses plan out compliance activities more carefully, integrate PCI-DSS into their broader governance, security and compliance initiatives, and automate as much as possible to make compliance sustainable and cost effective. It concludes by acknowledging compliance as an onerous task, while warning of the significant financial, business and reputational damage that can result from a data breach facilitated by noncompliance.

PCI-DSS compliance is critical in today’s technological business environment for defending against increasingly sophisticated criminals. By training staff on these standards, organizations can help keep cardholder data safe and preserve their reputation. WeComply’s online PCI-DSS training course instructs employees who handle payment-card information on how to do so in accordance with PCI-DSS.

Topics:  Credit Cards, Cyber Attacks, Cybersecurity, Data Breach, Data Protection, Fraud

Published In: Consumer Protection Updates, Finance & Banking Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© WeComply, a Thomson Reuters business | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »