Businesses that accept credit or debit cards have continued to fail at achieving and maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS), according to a report (PDF) released by Verizon.
The standard has 12 overarching requirements, set out by credit issuers such as Visa, MasterCard and American Express. These requirements branch out into 260 more detailed requirements that businesses must follow to protect credit card information if they wish to process transactions.
According to Verizon managing principal Asia-Pacific Mark Goudie, the compliance process is a two-stage assessment, the first resulting in an Initial Report of Compliance (IROC), and the second a Final Report of Compliance. However, according to the report, only 21 per cent of surveyed organisations are meeting their requirements at the IROC stage, even though they are meant to be fully compliant for that stage. In last year's report, Verizon found the compliance figure to be 22 per cent.
"When you get to that IROC stage, the organisation believes they are compliant and they're willing to be assessed. This is like turning up for exam day — you've done the study, you've attended the course all year, [but] despite it being exam day, there are still very few organisations that can meet all the requirements initially."
"Organisations tend to treat this as a once-a-year assessment, where they need to clean up because the assessor is coming."
Three key areas that businesses were failing to address were protecting stored data, testing their security systems and maintaining proper information security policies.
Goudie said that he was surprised to see how many businesses were failing to encrypt data outside of their main databases.
"Often the place where we find unencrypted data is not in the primary data store, but it's in some other part, some other temporary file or debug file or log file that the organisation doesn't realise is storing sensitive data, and that's where the data ends up getting stolen from," he said, adding that it made hackers' jobs easier if they could steal unencrypted data from secondary sources.
Goudie said that compliance needed to be a continual cycle if businesses wanted any real benefit from it. Rather than rushing to become compliant once a year, Goudie said that businesses should aim to maintain compliance throughout the year, reviewing their progress with a qualified security assessor monthly.
"It's really a means to get the assessor involved in the business, and that's a far lower-cost way of doing business. [It] builds the appropriate security practices and business practices into the business model."
He also said that businesses needed to be aware of the changes involved in the shift from PCI DSS 1.2 to 2.0 standards, which were released in October last year.
He warned against repeating history, recalling the backlash he saw in the market when organisations that were validated against 1.1 thought that they would be validated in 1.2 without taking any additional measures.
"We're now moving from PCI 1.2 to PCI 2.0. There are quite significant changes, and any organisation that needs to be PCI-compliant needs to be looking at PCI 2.0 sooner rather than later to ensure that they minimise the impact that has on their business for when they need to be PCI 2.0 compliant."