In the wake of several recent security breaches at major department stores, a new study by telecom giant Verizon shows the need for organizations to comply with Payment Card Industry (PCI) security standards is more important than ever as payment card data becomes more valuable.
What are PCI security standards? They are international standards created and maintained by the PCI Security Standards Council (SSC), which represents major global card brands, to verify that merchants and service providers are appropriately protecting cardholder data. While PCI security standards are not enforced by the law, except in just a handful of states, businesses often comply through the terms of the business contract with the merchant.
The “Verizon 2014 PCI Compliance Report” affirms that payment card transactions remain a prime target for attackers, and the rate at which data breaches are occurring appears to be increasing. It is estimated by The Nilson Report that global credit cards fraud exceeded $11 billion in 2012 alone.
“We continue to see many organizations viewing PCI compliance as a single annual event, unaware that compliance needs to have a 365 day-a-year focus,” said Rodolphe Simonetti, managing director, PCI practice, Verizon Enterprise Solutions.
The Verizon report though, finds one bright spot in the report: Organizations’ initial compliance with the PCI standards has shown some improvement. In 2013, more than 82 percent of organizations were compliant with at least 80 percent of the PCI standards at the time of their annual baseline assessment, compared with just 32 percent in 2012. Region-to-region, Asia-Pacific organizations are the most compliant (75 percent) versus American (56.2 percent) and European organizations (31.3 percent).
Head of PCI-DSS APAC Sebastian Mazas said this result is "very impressive and a very good surprise.”
However, Mazas also said there is still room for improvement, pointing out three key areas in which businesses are struggling to manage compliance: Security testing, security monitoring and the capability to respond to a compromise, and the protection of stored data. He noted that these areas are where attacks are more likely to occur going forward.