Networking

11:08 AM
Connect Directly
RSS
E-Mail
50%
50%

Most Organizations Fall Short On PCI DSS, Verizon Reports

This year's Verizon 2011 Payment Card Industry Compliance Report validates the findings of the first report issued last year: About one in five organizations for which Verizon provided QSA services were fully compliant in their Initial Report on Compliance (IROC), but the balance were found lacking, on average passing about 80% of the QSA evaluation tests.

This year's Verizon 2011 Payment Card Industry Compliance Report validates the findings of the first report issued last year: About one in five organizations for which Verizon provided Qualified Security Assessor (QSA) services were fully compliant in their Initial Report on Compliance (IROC), but the balance were found lacking, on average passing about 80% of the QSA evaluation tests.

The report, based on analysis of 2010 audits, produced results comparable with the first report, based on cumulative 2008 to 2009 data. This indicates a consistent pattern of enterprise compliance and non-compliance during three years. "The longer you see a certain pattern seems to suggest that pattern points to something real," says Cory Wade, Verizon director of risk intelligence.

Verizon says that the findings indicate a pattern of backsliding after organizations achieve compliance, failing a fifth of their tests, on average, in the following IROC. The organizations that pass all tests initially have continuous compliance programs that they maintain throughout the year.

"If we could plot the compliance level going forward in time, I get a sense it would look like a roller coaster," says Wade. "You have an upswing when the QSA shows up, then they hit peak and start to slide during the remainder of the year."

The report is based on QSA audits of more than 100 Verizon clients, with about 60% based in the United States and most of the rest from Europe with a small Asian representation. The PCI requirements that proved most difficult in terms of compliance of organizations that passed the relevant tests:

  • Requirement 3: Protect stored data (42%)
  • Requirement 11: Regularly test security systems and processes (37%)
  • Requirement 12: Maintain security policies (39%)

    Previous
    1 of 2
    Next
    Comment  | 
    Print  | 
    More Insights
  • Cartoon
    Slideshows
    Audio Interviews
    Archived Audio Interviews
    Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
    White Papers
    Register for Network Computing Newsletters
    Current Issue
    2014 Private Cloud Survey
    2014 Private Cloud Survey
    Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
    Video
    Twitter Feed