Businesses Still Lax Over Payment Card Security

Retailers and merchants still have a lot of work to do to stay compliant with international payment data security standards.
Matthew HellerMarch 11, 2015
Businesses Still Lax Over Payment Card Security

Payment card data security continues to be lax among retailers and other merchants, with four out of five failing interim assessments of their compliance with international security standards, according to a new report.

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) actually rose last year to 80% from 88.9% in 2013, Verizon said in its latest annual PCI compliance survey, and overall compliance went up by 18 percentage points for 11 out of the 12 payment data security standards.

But Verizon suggested there was no cause for celebration, noting that with the failure rate still so high, “it’s clear that there’s a lot more to do,” particularly in the area of sustaining compliance. Only 28.6% that passed their annual security inspection were still in compliance less than a year later at interim assessment.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

“Officially they remain compliant, but only two or three weeks a year,” Rodolphe Simonetti, a consultant with Verizon, told CNN. “As soon as something else is in the list of priorities, security is dropped.”

The 12 PCI DSS requirements, which are only a baseline standard, include maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining antivirus software, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems, and maintaining security policies.

According to Verizon, the biggest increase in compliance was in authenticating access, while the only area where compliance fell was testing systems.

But the report stresses that “the volume and scale of data breaches in the last 12 months make it clear that current techniques are not stopping attackers — in many cases they aren’t even slowing them down.” Out of all the data breaches in the past 10 years that Verizon studied, not a single company was found to be compliant at the time of the breach.

Verizon recommends that PCI compliance “should not be seen in isolation, but as part of a comprehensive information security and risk-management strategy. A PCI DSS assessment can uncover important security gaps that should be fixed, but it is no guarantee that your customer’s data and your reputation are safe.”