Study Finds Surprising Lack of Credit Card Data Security
Ony 20 percent of payment card-accepting companies complied with the full set of international security standards in 2013, according to a report from Verizon. The 2015 PCI Compliance Report looked at how thousands of retailers, hospitality companies, financial service firms and other organizations followed the standards established by the PCI Security Standards Council.
While complying with PCI standards is not required by law, companies that meet those requirements are better prepared to meet other regulatory security requirements. They can also be eligible for better commercial terms from payment card service providers.
Established in 2006, the PCI Security Standards Council is led by five founding members: American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. The group’s standards are aimed at protecting the security of customer payment card data .
‘Anything Less than 100 Percent an Issue’
Verizon’s PCI Security practice has been assessing compliance with payment card security standards since 2009. Its latest report looks at 2011-2013 data provided by retailers, hotels, business offices, data centers and even an airport.
While few of the surveyed organizations met all 12 of the PCI security standards, a growing number are complying with most of them, the Verizon study found. More than 82 percent of businesses complied with PCI standards in 2013, compared with 32 percent in 2012.
However, organizations need to do more to ensure the safety and security of their customers’ data, said Rodolphe Simonetti, managing director of the PCI practice for Verizon Enterprise Solutions.
“Anything less than 100 percent compliance is an issue for businesses today,” Simonetti said. “We have seen time and time again that noncompliance leaves an organization open to credit card theft, which can potentially cost hundreds of millions of dollars when you factor in all the damages, not to mention lost consumer trust and the impact on brand reputation. Organizations need to rethink how they factor in maintaining a PCI-compliant environment, whether it’s devoting more resources or working with a managed security services provider.”
Standards ‘Not Going Away’
The PCI standards require firewalls, protected data storage, encryption, anti-virus measures, IT systems and apps security, identity management and authentication, physical security for data systems, network tracking and monitoring, security policies and regular security testing. They also prohibit the use of vendors’ default passwords and limit access to cardholder data on a “need-to-know” basis.
The 2015 report found that businesses struggle most in complying with the maintenance of security policies (55.6 percent), security testing (23.8 percent), and security monitoring and threat detection (17 percent). Compliance also varied from region to region, with at least 80 percent of standards being met most often in the Asia-Pacific (75 percent), followed by the U.S. (56 percent) and Europe (31 percent).
If you wish to read the full article, please click here: http://www.cio-today.com/article/index.php?story_id=023000QNVGX2