This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Businesses flout PCI storage and monitoring standards

Share this article:

Most businesses are still failing to comply with payment card security standards.

According to Verizon's payment card industry compliance report, most businesses that accept credit or debit cards, or both, continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI-DSS).

Of those assessed by Verizon, 21 per cent were found to be fully compliant at the completion of their initial reports on compliance, consistent with similar research from a year ago, which it called "a bit disappointing".

However, on average, organisations met 78 per cent of all test procedures defined in the standard at the time of their report, a drop of three per cent from last year.

It said: “Most of these organisations have had multiple chances to become familiar with the PCI assessment process and one would think they should become more able to meet requirements year after year. So why aren't they?

“There is no clear and easy answer to this question, though we can draw several inferences from the statistics. The most obvious is that compliance is not a simple matter. PCI-DSS is not a group of easy controls and it is apparent that they aren't inherent in most security programs.

“Although a few of the companies can claim that it's their first rodeo, they haven't yet demonstrated mastery of PCI-DSS. Therefore, the baseline set by the PCI-DSS must not reflect the baseline set by the companies themselves. For most organisations, to achieve compliance they must do things they were not previously doing (or maintaining). Of course, whether or not these are the right things to be doing is a separate question.”

Statistics from more than 100 global assessments compiled by Verizon found that organisations struggled the most to comply with requirements 3 (protect stored cardholder data), 10 (track and monitor access), 11 (regularly test systems and processes) and 12 (maintain security policies), all of which are directly linked to protecting cardholder data.

It also found that requirements 4 (encrypt transmissions over public networks), 5 (use and update anti-virus), 7 (restrict access to need-to-know) and 9 (restrict physical access) had the highest implementation levels.

Wade Baker, director of risk intelligence at Verizon, said: “We had hoped to see more organisations complying with the PCI standard, since we believe that compliance will ultimately improve the security posture of organisations and in all likelihood lead to fewer breaches.

“By reviewing this report, organisations can see where to focus their efforts and implement our recommendations for helping to accelerate PCI compliance. Our end goal is a safer credit card environment for consumers and businesses.”

Verizon recommended a daily log review, weekly file-integrity monitoring, quarterly vulnerability scanning and annual penetration testing and, for level one and two merchants, self-assessment.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.