PCI DSS, the Payment Card Industry Data Security Standard, is supposed to help organizations become more secure and in turn limit the risk of breaches for end-users. The reality, though, is that organizations are often only compliant with PCI DSS at a point in time; when breaches occur, it's because the organization was no longer in full compliance.
The latest version of the Verizon PCI compliance report, an annual guidepost for the state of PCI trends, was released today, revealing many of the same shortcomings covered in prior reports.
Just 20 percent of surveyed companies were fully PCI DSS-compliant during an interim assessment in 2014. While that number seems low, it is up from 11.1 percent in 2013 and 7.5 percent in 2012.
PCI DSS compliance is important for multiple reasons, Verizon noted. Perhaps the most obvious reason is that over the last decade of breach investigations, not a single breached organization was found to be fully compliant with PCI DSS standards.
New Attitude Needed
"The three key areas where organizations fall out of compliance are regularly testing security systems, maintaining secure systems and protecting stored data," Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions, said in a statement. "Of all the data breaches studied, Verizon’s findings clearly show that not a single company was fully PCI DSS-compliant at the time of the breach."
The PCI Security Standards Council, the organization behind the development of the PCI DSS standard, sees the Verizon report as a wake-up call for more security diligence. Stephen W. Orfei, general manager, PCI Security Standards Council, said there needs to be a change in the casual mindset that too many organizations have about customer data.
"Often an organization’s approach to PCI security is to focus on passing the annual compliance assessment," Orfei said in a statement. "Only a combination of people, process and technology, and a focus on making security a ‘business-as-usual’ practice will help thwart these constant threats."
PCI Compliance Too Complex?
Dave Oder, CEO of secure payment process vendor Shift4 Corporation, said that many organizations are lulled into a false sense of security after "checking the boxes" of PCI compliance, incorrectly believing compliance signifies security.
"As the study has discovered, nearly 70 percent of organizations surveyed that had achieved PCI DSS compliance fell out of compliance the following year," Oder said.
The Verizon report findings lead to the question of whether compliance has become too complex, Oder added.
"Organizations that focus on compliance and jump through all of PCI’s hoops may achieve compliance for a moment in time, while organizations looking to be secure at all times will find that compliance comes naturally," Oder said. "There is no silver bullet for security; however, true P2PE (point-to-point encryption), coupled with tokenization, provides merchants with a multi-prong security strategy that greatly enhances their security posture and reduces their breach profile."
In Oder's view, PCI doesn't validate certain types of security solutions that could potentially be considered to be more secure than what is currently validated.
"Merchants need the maneuverability to select solutions that provide security beyond compliance," he said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.