Report: Most businesses are not PCI compliant

A new Verizon (NYSE: VZ) report has found that many businesses, following their annual assessment for meeting the Payment Card Industry Data Security Standard, fail to maintain ongoing compliance -- putting the businesses at an increased risk for data breaches and the subsequent financial repercussions and damages to reputations.  

The Verizon 2014 PCI Compliance Report confirms what the retail IT industry already knows: that payment card transactions remain a prime target for attackers, and the rate at which data breaches are occurring appears to be increasing. It is estimated by The Nielson Report that global credit card fraud exceeded $11 billion in 2012 alone.

According to the report, in most cases, payment card data breaches are not a failure of security technology or of the PCI compliance standard, but rather a failure to implement appropriate compliance and security measures as intended.

"We continue to see many organizations viewing PCI compliance as a single annual event, unaware that compliance needs to have a 365 day-a-year focus," stated Rodolphe Simonetti, managing director, PCI practice, Verizon enterprise solutions.

There is a bright spot in the report: Organizations' initial compliance with the PCI standard has shown some improvement. In 2013, more than 82 percent of organizations were compliant with at least 80 percent of the PCI standard at the time of their annual baseline assessment, compared with just 32 percent in 2012.

Areas where businesses struggle the most in achieving initial compliance include security testing (23.8 percent), security monitoring and the ability to effectively detect and respond to data compromised (17 percent), and protecting stored sensitive data (55.6 percent).

"Anything less than 100 percent compliance is an issue for businesses today," said Simonetti. "We have seen time and time again that noncompliance leaves an organization open to credit card theft, which can potentially cost hundreds of millions of dollars when you factor in all the damages, not to mention lost consumer trust and the impact on brand reputation.

Retailers that aren't evaluating maintenance schedules are putting themselves at increased risk for data breaches. "Organizations need to rethink how they factor in maintaining a PCI-compliant environment, whether it's devoting more resources or working with a managed security services provider," said Simonetti. "Compliance activities should be planned; integrated with the largest organizational wide governance, security and compliance initiatives; and automated as much as possible to help ensure compliance is sustainable and cost effective."

For more:
-See this Verizon report

Related stories:
Tesco and Verizon partner for new centralization program 
Target: Timeline of a data breach
Target's data breach is a story with long legs
Vendor speaks out on data breach
Data hacks: FBI says more breaches in store, Neiman Marcus says 1.1M cards at risk