Maintaining PCI Compliance a Showstopper for Many Retailers

Jan. 14, 2015 - PRLog -- Verizon Enterprise Solutions unveiled select initial findings from its upcoming 2015 PCI Report at the company’s annual NRF event for press and clients on January 12.  Due out in February, the 2015 report will examine the state of Payment Card Industry (PCI) Data Security Standard compliance and its correlation to data breaches among organizations such as retailers and restaurateurs that rely heavily on payment card transactions.

The initial glance at the data suggests that many companies fall out of compliance once it’s achieved.  In fact, fewer than one-third were still fully DSS-compliant less than a year after being validated.

Of all the data breaches studied, Verizon’s findings clearly show that not a single company was fully PCI-compliant at the time of the breach.

Two key areas where organizations fall out of compliance include regularly testing security systems and processes and maintaining firewalls.

“Today’s cybersecurity landscape is changing,” said Rodolphe Simonetti, director of compliance and governance professional services for Verizon Enterprise Solutions. “As a result, organizations need to change the way they approach security.  Businesses need to adopt a model that we call ‘resilience’ which means they must accept they can never be fully secure.  There is no silver bullet for data protection.”

Simonetti recommends that organizations look holistically at security which means enterprises must:

·         Put safeguards in place to prevent attacks

·         Accept that a breach can happen

·         Be prepared to respond by:

o   Mitigating the impact of a breach

o   Restoring defenses

o   Resuming normal operations as quickly as possible.

2015 PCI Report from Verizon Enterprise Solutions

This year’s report will cover three years of data and include the results from thousands of PCI assessments conducted by Verizon’s team of PCI Qualified Security Assessors for mostly Fortune 500 and large multinational firms in more than 30 countries.  The 2015 report will explore the relationship between compliance and being secure and the biggest gaps.

Similar to the 2014 report, Verizon will take an in-depth look at each of the 12 PCI requirements, including a first-time look at compliance against the 3.0 standard.

The 2015 report will be expanded to include findings regarding how and where companies fall out of compliance once achieved.  It also will include a section explaining “how to make compliance easier,” featuring actionable recommendations for enterprises that want to stay PCI compliant.

PCI Report Findings Based on Actual PCI Assessments

Similar to Verizon’s Data Breach Investigations Report (DBIR) series, the PCI Report is based on actual casework and is the only report of its kind in the industry. This report analyzes PCI Data Security assessment data, with a specific focus on the retail, financial services and hospitality industries across North America, Europe and the Asia-Pacific region.

The 2014 PCI Report can be viewed at: www.verizonenterprise.com/pcireport/2014/.