Businesses flout PCI storage and monitoring standards
Most businesses are still failing to comply with payment card security standards.
According to Verizon's payment card industry compliance report, most businesses that accept credit or debit cards, or both, continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI-DSS).
Of those assessed by Verizon, 21 per cent were found to be fully compliant at the completion of their initial reports on compliance, consistent with similar research from a year ago, which it called "a bit disappointing".
However, on average, organisations met 78 per cent of all test procedures defined in the standard at the time of their report, a drop of three per cent from last year.
It said: “Most of these organisations have had multiple chances to become familiar with the PCI assessment process and one would think they should become more able to meet requirements year after year. So why aren't they?
“There is no clear and easy answer to this question, though we can draw several inferences from the statistics. The most obvious is that compliance is not a simple matter. PCI-DSS is not a group of easy controls and it is apparent that they aren't inherent in most security programs.
“Although a few of the companies can claim that it's their first rodeo, they haven't yet demonstrated mastery of PCI-DSS. Therefore, the baseline set by the PCI-DSS must not reflect the baseline set by the companies themselves. For most organisations, to achieve compliance they must do things they were not previously doing (or maintaining). Of course, whether or not these are the right things to be doing is a separate question.”
Statistics from more than 100 global assessments compiled by Verizon found that organisations struggled the most to comply with requirements 3 (protect stored cardholder data), 10 (track and monitor access), 11 (regularly test systems and processes) and 12 (maintain security policies), all of which are directly linked to protecting cardholder data.
It also found that requirements 4 (encrypt transmissions over public networks), 5 (use and update anti-virus), 7 (restrict access to need-to-know) and 9 (restrict physical access) had the highest implementation levels.
Wade Baker, director of risk intelligence at Verizon, said: “We had hoped to see more organisations complying with the PCI standard, since we believe that compliance will ultimately improve the security posture of organisations and in all likelihood lead to fewer breaches.
“By reviewing this report, organisations can see where to focus their efforts and implement our recommendations for helping to accelerate PCI compliance. Our end goal is a safer credit card environment for consumers and businesses.”
Verizon recommended a daily log review, weekly file-integrity monitoring, quarterly vulnerability scanning and annual penetration testing and, for level one and two merchants, self-assessment.