Businesses taking PCI compliance more seriously: Verizon

The 2015 Verizon PCI compliance report showed an increase in PCI compliance among businesses globally during 2014.

The number of organisations that fully complied with the payment card industry (PCI) security standards during 2014 rose to 20 percent, according to the latest Verizon PCI compliance report.

Previous reports showed that in 2013, only 11.1 percent of organisations globally were fully PCI compliant, with average global compliance rising to 93.7 percent in 2014, up from 85.2 percent.

The report indicated that the level of full compliance was due to an improvement of compliance across the board, with over 60 percent of companies assessed during 2014 compliant with any of the 12 PCI DSS requirements. As a result, PCI DSS compliance went up by an average of 18 percent for 11 out of 12 requirements.

The 12 PCI DSS requirements include maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining antivirus software, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems, and maintaining security policies.

Sebastien Mazas, PCI Services professional services manager, told ZDNet that these outcomes are the best results to date. The only requirement that did not see an increase was testing systems.

The report showed that on average, breached organisations were 36 percent less likely to be compliant with a given requirement. Mazas pointed out that there is a clear correlation between companies that are not fully PCI compliant and the high level of risk they face.

"If we look at the results from this investigation, we see two things. The first is 45 percent of the breached companies were not compliant on one aspect, which was patch management and development security. And 72 percent of them were not compliant on everything considering the log management and log monitoring," he said.

"So if you combine the fact that those that were not complaint with testing the security, if they had been testing, they probably would've discovered vulnerabilities on the system, and would probably have looked at their logs a bit more carefully."

Mazas warned that it's increasingly important for PCI compliance to be high on the agenda for organisations, with 69 percent of consumers admitting that they will stop doing business with a breached company.

Further to this, the report showed that card payments are not going away soon, whether it's through the use of a credit card, debit card, or electronics such as contactless mobile payments.

Mazas added that PCI compliance will be particularly important going forward, as statistics have indicated that the number of incidents predicted to occur will increase by 66 percent.

"It has been a saying for ages in security that the question is not of a matter of whether you are going to be breached, but when are you going to be breached," he said.