This year's Verizon 2011 Payment Card Industry Compliance Report validates the findings of the first report issued last year: About one in five organizations for which Verizon provided Qualified Security Assessor (QSA) services were fully compliant in their Initial Report on Compliance (IROC), but the balance were found lacking, on average passing about 80% of the QSA evaluation tests.
The report, based on analysis of 2010 audits, produced results comparable with the first report, based on cumulative 2008 to 2009 data. This indicates a consistent pattern of enterprise compliance and non-compliance during three years. "The longer you see a certain pattern seems to suggest that pattern points to something real," says Cory Wade, Verizon director of risk intelligence.
Verizon says that the findings indicate a pattern of backsliding after organizations achieve compliance, failing a fifth of their tests, on average, in the following IROC. The organizations that pass all tests initially have continuous compliance programs that they maintain throughout the year.
"If we could plot the compliance level going forward in time, I get a sense it would look like a roller coaster," says Wade. "You have an upswing when the QSA shows up, then they hit peak and start to slide during the remainder of the year."
The report is based on QSA audits of more than 100 Verizon clients, with about 60% based in the United States and most of the rest from Europe with a small Asian representation. The PCI requirements that proved most difficult in terms of compliance of organizations that passed the relevant tests: