We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Many businesses not PCI compliant at time of data breaches - report

Verizon study says companies struggle to meet some of the most important standards

Article comments

Companies can dramatically cut their risks of data breaches by complying with payment standards, according to a new report.

The report, by Verizon Business, found that many businesses that had experienced intrusions were not compliant. Breached organisations were 50 percent less likely to have followed the PCI payment industry standard, it said.

In its 'Payment Card Industry Compliance Report', Verizon examines the state of compliance with the Payment Card Industry Data Security Standard (PCI DSS), which was created in 2006 to protect cardholder data and reduce credit card fraud.  

The report is based on findings from PCI DSS assessments conducted by Verizon’s team of PCI assessors in 2008 and 2009, and is based on around 200 assessments.  

“The Verizon Payment Card Industry Compliance Report gives organisations an unprecedented view into the state of PCI compliance across the board, specifically pointing out which requirements are most difficult to meet,” said Peter Tippett, VP at Verizon Business.  

To obtain a more in-depth view of the data, Verizon overlaid the findings from payment card breach cases included in the 'Verizon 2010 Data Breach Investigations Report', and then analysed the combined data set for commonalities.  

At the end of a forensic or data breach investigation, Verizon investigators assess how compliant the organisation is with PCI. By reviewing this data against official PCI assessments, Verizon analysts determined that organisations that had a data breach are 50 percent less likely to be compliant with the standard. These findings indicate that PCI compliance can help prevent data breaches, it said.

Of the 12 requirements that comprise the PCI DSS, three of them - protect stored data, track and monitor access to network resources and cardholder data, and regularly test security systems and processes - cover areas that are most vulnerable to security breaches, according to Verizon's DBIR. However, those three requirements are also the same ones that companies struggle the most to meet for PCI compliance, said Verizon.

The Payment Card Industry Security Standards Council recently announced that it will begin moving to a three-year cycle related to the main technical standards it issues for protection of sensitive payment-card information, allowing merchants and others more time to adopt them.

Share:

Comments

Advertisement
Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *