Verizon PCI compliance report a 'wake-up call'

While twice as many companies were validated as compliant during their initial compliance review in 2014 compared to 2013, nearly 80 percent of all businesses fail their interim Payment Card Industry compliance assessment leaving them vulnerable to cyberattacks, according to Verizon's (NYSE: VZ) "2015 PCI Compliance Report."

The report also found that only 29 percent of companies are still fully PCI DSS-compliant less than a year after being validated, according to Verizon.

"The 2015 Verizon report is an important document that should serve as a wake-up call for every business that cares about payment security," said Stephen W. Orfei, general manager, PCI Security Standards Council, in a press statement.

"The great news is that we are making clear progress in many key areas when it comes to protecting customers' payment data. However, the report emphasizes that we still have a long way to go because cyberattacks are on the rise, and too many companies do not make payment security an all day, every day priority," said Orfei.

In its fourth iteration, the annual report examines the state of Payment Card Industry Data Security Standard compliance and its correlation to data breaches among global organizations in the financial services, retail, and travel and hospitality industries, among other sectors. Verizon's cybersecurity research has consistently found that, since 2009, organizations suffering a data breach showed lower than normal compliance with a number of PCI DSS controls.

By reducing the likelihood of being breached, companies can better manage their brand, ensure consumer trust and potentially avoid hefty fees, Verizon said in a press release.

"Today's cybersecurity landscape is constantly changing," said Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions. "Compliance at a point in time isn't sufficient to protect data. Putting the focus on making compliance sustainable is key. It must be a part of day-to-day activities within an organization's greater security strategy."

"The findings of the Verizon report are sobering," Orfei wrote in The Hill's "Congress Blog." The PriceWaterhouse Coopers survey of 9,700 companies found that they had detected nearly 43 million security incidents in 2014, a compound annual growth rate of 66 percent since 2009. "In other words, companies are under attack today from cyber criminals like never before. With the attacks coming fast and furious, the stakes involved in protecting payment data have never been higher. Cybercrime costs the U.S. economy $100 billion a year and costs the global economy $575 billion annually," he wrote.

According to Verizon, 45 percent of Americans say they or a household member had been notified that their credit card data had possibly been stolen in a data breach and 69 percent of consumers said they would be less inclined to do business with a breached organization. "The business community needs to up its game to answer this enormous challenge. Companies that fail to heed this warning do so at their own peril," Orfei said.

Perhaps the most startling statistic from the Verizon report was that of all the payment card breaches their forensics team has investigated over the last 10 years, not a single organization was found to have been PCI DSS compliant at the time of the breach. "Our standards work but only if you follow them," Orfei wrote.

Other key findings from the Verizon report included:

  • Between 2013 and 2014, compliance increased for 11 of the 12 PCI DSS controls or, put another way, 60 percent of companies assessed in 2014 were compliant with any given requirement.
  • The average increase in compliance was 18 percentage points.
  • The biggest jump in compliance was in authenticating access.
  • The only area where compliance fell was testing security systems, from 40 percent to 33 percent.

Another troubling trend from this year's report is that data security is still inadequate, Simonetti said. The volume and scale of data breaches in the past 12 months is proof that current security techniques are not stopping attackers—in many cases they aren't even slowing them down. PCI DSS compliance must be viewed as part of a comprehensive information security and risk-management strategy. A PCI DSS assessment can uncover important security gaps that should be fixed, but it is not a guarantee that the data is safe from a cyberattack, he said.

For more:
See this Verizon press release
See the PCI Secuity Standards Council website
See this blog post in The Hill

Related stories:
New PCI guidelines 'a good thing for retailers'
What retailers need to know about reducing fraud with EMV chip and PCI standards
Backoff malware widespread, PCI Council issues call to action
It's hacker season: Five things retailers need to know
On the Hot Seat: PCI Security Council's Stephen Orfei