Businesses warm to PCI compliance: Verizon

The 2014 Verizon PCI Compliance Report shows that businesses are starting to realise the benefits of complying with the Payment Card Industry Security standards.

The need for organisations to comply with the Payment Card Industry (PCI) Security standards is more important than ever as payment card data becomes more valuable, according to the 2014 Verizon PCI Compliance Report.

PCI Security standards are international standards created and maintained by the PCI Security Standards Council (SSC), which represents major global card brands, to verify that merchants and service providers are appropriately protecting card holder data. While PCI Security standards are not enforced by law, except in a few US states, businesses are often compliant through terms of a business contract that they have between the merchant, acquirer, or other parties.

Based on the latest compliance report, the average amount of organisations complying with the PCI Security standards has increased. Back in 2011, the average number of organisations that were 80 percent-plus compliant was 32 percent, compared to the improved 82 percent of organisations today.

Region to region, Asia-Pacific organisations are the most compliant (75 percent) versus American (56.2 percent) and European organisations (31.3 percent).

Head of PCI-DSS APAC Sebastian Mazas said this result is "very impressive and a very good surprise".

However, Mazas also said there is still room for improvement, pointing out three key areas in which businesses are struggling to manage compliance: Security testing, security monitoring and the capability to respond to a compromise, and the protection of stored data. He noted that these areas are where attacks are more likely to occur going forward.

To ensure that businesses are protected, they need to meet 12 requirements in order to be fully compliant with PCI-DSS 2.0. These include installing and maintaining a firewall configuration to protect card holder data; not using vendors' default passwords or security parameters; and protecting stored card holder data.

The report also shows that there's a strong correlation between a badly configured firewall and the likelihood of a security breach. Data from Verizon's RISK team showed that only 12.5 percent of organisations that suffered a data breach in 2013 were compliant with installing and maintaining a firewall configuration to protect card holder data.

Mazas said implementing a system is not difficult; to make it work efficiently within a business is the challenge.

"The main thing with PCI is people note it as a cost, but rather it's a real opportunity to improve business efficiency, IT efficiency, and create innovation to make it simple and manageable when it comes to security," he said.

"PCI is an opportunity to rethink your business so that your IT supports your business so that it adapts to the real threat landscape and cope with all the new threats that appear in areas such as IT virtualisation, BYOD, and cloud."