Report: Most companies that accept cards fail Payment Card Industry’s Data Security Standards

Despite an increase of 3.6% in the past year, only 11.1% of organisations that accept card payments complied fully with the Payment Card Industry’s Data Security Standard in 2013 (PCI DSS), according to the latest report from Verizon. This means most organisations remain at high risk of data breaches and associated financial and reputational damage, with payment card transactions a prime target for cyber fraudsters.

The „Verizon 2014 PCI Compliance Report” affirms that the rate at which data breaches are occurring appears to be increasing. It is estimated by The Nilson Report that global credit card fraud exceeded $11 billion in 2012 alone.

According to the Verizon report, payment card data remains one of the easiest type of data to convert to cash and therefore the preferred choice of criminals. 74% of attacks on retail, accommodation and food services companies target payment card information. Nevertheless, only around one in ten organisations were fully  compliant with PCI DSS.

However, the report notes most payment card data breaches are not a failure of security technology or of compliance with the PCI DSS, but a failure to implement appropriate measures, as intended.

“Many organisations view PCI compliance as an annual event, rather than an ongoing process,” said Kim Haverblad, northern Europe professional services manager, PCI Practice at Verizon Enterprise Solutions.
In 2013, 82% of organisations were compliant with at least 80% of the PCI standard, up from only 32% in 2012, but it is not all good news.”

The Verizon 2014 PCI Compliance Report also shows regional differences, with European businesses lagging far behind the rest of the world in card payment security. Only 31% of European businesses were found to be meeting 80% or more of the PCI requirement on an ongoing basis, compared with 75% in Asia-Pacific and 56% in the US.
„This is due to varying legal requirements – such as data breach notification laws – and varying levels of PCI DSS adoption”, said Haverblad, one of the report’s co-authors.

According to the report, areas where businesses struggle the most in achieving initial compliance include security testing (23.8%); the ability to detect and respond to data compromises (17%); and protecting stored sensitive data (55.6%).

“Outsourcing some of the more technical aspects can help organisations improve their PCI compliance and level of security, as long as they ensure their suppliers adhere to the framework,” said Haverblad.
“While operations can be outsourced, organisations can never outsource responsibility and remain accountable for the security of card payment data.”

The report examines how well organisations comply with each of the 12 specific PCI requirements and provides guidelines on how to achieve and maintain compliance.

The report also explains how non-compliance with each of the requirements can lead to a data breach.