This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Businesses flout PCI storage and monitoring standards

Share this article:

Most businesses are still failing to comply with payment card security standards.

According to Verizon's payment card industry compliance report, most businesses that accept credit or debit cards, or both, continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI-DSS).

Of those assessed by Verizon, 21 per cent were found to be fully compliant at the completion of their initial reports on compliance, consistent with similar research from a year ago, which it called "a bit disappointing".

However, on average, organisations met 78 per cent of all test procedures defined in the standard at the time of their report, a drop of three per cent from last year.

It said: “Most of these organisations have had multiple chances to become familiar with the PCI assessment process and one would think they should become more able to meet requirements year after year. So why aren't they?

“There is no clear and easy answer to this question, though we can draw several inferences from the statistics. The most obvious is that compliance is not a simple matter. PCI-DSS is not a group of easy controls and it is apparent that they aren't inherent in most security programs.

“Although a few of the companies can claim that it's their first rodeo, they haven't yet demonstrated mastery of PCI-DSS. Therefore, the baseline set by the PCI-DSS must not reflect the baseline set by the companies themselves. For most organisations, to achieve compliance they must do things they were not previously doing (or maintaining). Of course, whether or not these are the right things to be doing is a separate question.”

Statistics from more than 100 global assessments compiled by Verizon found that organisations struggled the most to comply with requirements 3 (protect stored cardholder data), 10 (track and monitor access), 11 (regularly test systems and processes) and 12 (maintain security policies), all of which are directly linked to protecting cardholder data.

It also found that requirements 4 (encrypt transmissions over public networks), 5 (use and update anti-virus), 7 (restrict access to need-to-know) and 9 (restrict physical access) had the highest implementation levels.

Wade Baker, director of risk intelligence at Verizon, said: “We had hoped to see more organisations complying with the PCI standard, since we believe that compliance will ultimately improve the security posture of organisations and in all likelihood lead to fewer breaches.

“By reviewing this report, organisations can see where to focus their efforts and implement our recommendations for helping to accelerate PCI compliance. Our end goal is a safer credit card environment for consumers and businesses.”

Verizon recommended a daily log review, weekly file-integrity monitoring, quarterly vulnerability scanning and annual penetration testing and, for level one and two merchants, self-assessment.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Cyber security still a learning curve for most companies

Cyber security still a learning curve for most ...

Poor network visibility, outdated security tools, a skills shortage and a lack of control in the cloud are just some of the reasons companies are struggling with cyber-security, say two ...

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...

'Sophisticated' Chinese hackers launched attacks against 43,000 computer systems

'Sophisticated' Chinese hackers launched attacks against 43,000 computer ...

A new report reveals that a Chinese cyber-espionage group is closely affiliated with government and carried out attacks against the likes of Fortune 500 companies and government agencies.