Companies can dramatically cut their risks of data breaches by complying with payment standards, according to a new report.
The report, by Verizon Business, found that many businesses that had experienced intrusions were not compliant. Breached organisations were 50 percent less likely to have followed the PCI payment industry standard, it said.
In its 'Payment Card Industry Compliance Report', Verizon examines the state of compliance with the Payment Card Industry Data Security Standard (PCI DSS), which was created in 2006 to protect cardholder data and reduce credit card fraud.
The report is based on findings from PCI DSS assessments conducted by Verizon’s team of PCI assessors in 2008 and 2009, and is based on around 200 assessments.
“The Verizon Payment Card Industry Compliance Report gives organisations an unprecedented view into the state of PCI compliance across the board, specifically pointing out which requirements are most difficult to meet,” said Peter Tippett, VP at Verizon Business.
To obtain a more in-depth view of the data, Verizon overlaid the findings from payment card breach cases included in the 'Verizon 2010 Data Breach Investigations Report', and then analysed the combined data set for commonalities.
At the end of a forensic or data breach investigation, Verizon investigators assess how compliant the organisation is with PCI. By reviewing this data against official PCI assessments, Verizon analysts determined that organisations that had a data breach are 50 percent less likely to be compliant with the standard. These findings indicate that PCI compliance can help prevent data breaches, it said.
Of the 12 requirements that comprise the PCI DSS, three of them - protect stored data, track and monitor access to network resources and cardholder data, and regularly test security systems and processes - cover areas that are most vulnerable to security breaches, according to Verizon's DBIR. However, those three requirements are also the same ones that companies struggle the most to meet for PCI compliance, said Verizon.
The Payment Card Industry Security Standards Council recently announced that it will begin moving to a three-year cycle related to the main technical standards it issues for protection of sensitive payment-card information, allowing merchants and others more time to adopt them.