Data breaches are increasingly common, with an estimated $11 billion in global credit-card fraud in 2012 alone. Yet according to a new report, many organizations still fail to take the necessary security measures to prevent the theft of payment card data by cybercriminals.
The Verizon 2014 PCI Compliance Report states that many companies face an increased risk of data breaches because they fail to maintain ongoing compliance with the Payment Card Industry Data Security Standard (PCI-DSS) rules. These rules are a set of voluntary international standards created to verify that merchants and service providers are appropriately protecting cardholder data. While overall compliance with the standards rose to more than 80% in 2013 — compared to just 32% in 2012 — only 11.1% were fully compliant, up from just 7.5% in 2012.
According to the report, most payment-card data breaches are the result of an inconsistent implementation of compliance measures. Unfortunately, the data shows that most companies focus on PCI-DSS — but only at the annual compliance validation assessment. It is this failure to fully integrate compliance measures into the day-to-day activities of the organization that presents the most significant barrier to full compliance.
An examination of the 12 specific PCI-DSS requirements found several noteworthy deficiencies in many compliance programs. Limiting access to personal cardholder information appears to be troublesome for many businesses, with 71% failing to meet PCI standards. Additionally, while properly managed logs are imperative for detecting the early warning signs of a cyber attack, 80.1% of companies had ineffective log-management policies. Other areas of concern include security testing (23.8% compliant); security monitoring and the ability to effectively detect and respond to a data breach (17% compliant); and protecting stored sensitive data (55.6% compliant).
The report recommends that businesses plan out compliance activities more carefully, integrate PCI-DSS into their broader governance, security and compliance initiatives, and automate as much as possible to make compliance sustainable and cost effective. It concludes by acknowledging compliance as an onerous task, while warning of the significant financial, business and reputational damage that can result from a data breach facilitated by noncompliance.
PCI-DSS compliance is critical in today’s technological business environment for defending against increasingly sophisticated criminals. By training staff on these standards, organizations can help keep cardholder data safe and preserve their reputation. WeComply’s online PCI-DSS training course instructs employees who handle payment-card information on how to do so in accordance with PCI-DSS.