BASKING RIDGE, N.J., Oct. 4. While credit card data breaches remain all too common, a new report from Verizon Business shows that following industry security standards can dramatically reduce such incidents. In a first-of-its-kind "Verizon Payment Card Industry Compliance Report," the company examines the state of compliance with the Payment Card Industry Data Security Standard (PCI DSS), which was created in 2006 to protect cardholder data and reduce credit card fraud. Company investigators found that breached organizations are 50 percent less likely to be PCI compliant and that only 22 percent of organizations were PCI compliant at the time of their initial examination.
In addition to assessing the effectiveness of the PCI DSS, the report identifies which attack methods are most common and provides recommendations for businesses on earning and maintaining PCI compliance.
The compliance report is based on findings from PCI DSS assessments conducted by Verizon's team of PCI Qualified Security Assessors (QSAs) in 2008 and 2009, and a review of a sample of approximately 200 assessments. As a QSA, Verizon audits and evaluates a company's compliance with the established PCI DSS, which is continually enhanced by the PCI Council, the governing body for PCI security standards and compliance.
"The Verizon Payment Card Industry Compliance Report gives organizations an unprecedented view into the state of PCI compliance across the board, specifically pointing out which requirements are most difficult to meet," said Peter Tippett, vice president of technology and innovation at Verizon Business. "We hope this report will help organizations approach PCI compliance in a more informed and effective way. Ultimately, we want the same thing as the rest of the industry: fewer payment card losses and data breaches."
The findings demonstrate that following PCI requirements can reduce the likelihood of a breach. Additionally, to obtain a more in-depth view of the data, Verizon overlaid the findings from payment card breach cases included in the "Verizon 2010 Data Breach Investigations Report" (DBIR) and then analyzed the combined data set for commonalities. Top findings include:
* Only 22 percent of organizations are compliant initially. Most organizations were not compliant with the PCI requirements at the time of the Initial Report on Compliance, when Verizon QSAs first evaluate an organization against the standard. The majority of the fully compliant organizations were veterans of the process or were not required to comply with all of the requirements.
* Compliance, however, is in reach. While 78 percent of organizations are not compliant initially, the findings show that, on average, organizations meet 81 percent of the procedures required by PCI. In fact, three-quarters of the organizations met at least 70 percent of the testing procedures, meaning that, with more diligence, they have a good chance of becoming compliant. Only 11 percent of organizations met less than half the testing procedures at the time of their initial review.
* Organizations that suffer a breach are 50 percent less likely to have achieved or maintained PCI compliance. At the end of a forensic or data breach investigation, Verizon investigators assess how compliant the organization is with PCI. By reviewing this data against official PCI assessments, Verizon analysts determined that organizations that had a data breach are 50 percent less likely to be compliant with the standard than PCI customers. These findings indicate that PCI compliance can help prevent data breaches.
* There is a correlation between data breaches and the difficulties companies face in complying with certain PCI requirements. Of the 12 requirements that constitute the PCI DSS, three of them -- protect stored data, track and monitor access to network resources and cardholder data, and regularly test security systems and processes - cover areas that are most vulnerable to security breaches, according to the DBIR. However, those three requirements are also the same ones that companies struggle the most to meet for PCI compliance.