Less than a third of companies are fully compliant with PCI within one year of a validation

Forensic investigations conducted by Verizon have proven that over the past ten years, not a single organisation was found to be PCI-compliant at the time of the breach. Verizon is the world’s biggest forensic investigator of data breaches.

Verizon’s 2015 PCI Compliance Report has also found that breached companies were 36% less likely to be compliant with any given requirement of the Payment Card Industry Data Security Standard (PCI DSS). The report also shows that four in five surveyed retailers failed tests to determine whether their practices comply with the PCI DSS.

Furthermore, the ratio of companies compliant with Requirement 11 (testing security systems) has dropped from 40 to 33 percent.

“Checking your security, having a regular scan, penetration testing — these should be security 101 for many companies,” says Rodolphe Simonetti, Verizon’s managing director for its PCI practice.

Although PCI is supposed to serve as a baseline in security, rather than a total solution for security, Simonetti says “the more compliant you are with the PCI DSS, the less likely you are to suffer a breach.”

Penetration testing and vulnerability scanning are critical to effective information security, and are mandated by the PCI DSS. Regular testing should be a fundamental part of your monthly and quarterly security checking to ensure your controls are operating as effectively as possible.

Another worrying statistic is that less than a third of companies were fully compliant with the Standard one year after successful validation.

“Putting the focus on making compliance sustainable is key. It must be a part of day-to-day activities within an organisation’s greater security strategy.” Says Simonetti.

Stephen W. Orfei, general manager of the PCI Security Standards Council, said businesses much change their “casual mindset” about data security.

Considering that 69% of surveyed customers say they would be less inclined to do business with a breached organisation, PCI compliance cannot be taken lightly.

“The report emphasises that we still have a long way to go because cyberattacks are on the rise, and too many companies do not make payment security an all-day, every day priority,” says Orfei.

IT Governance has been trusted to deliver its PCI consultancy services to a large number of commercial and not–for-profit organisations throughout the world. Our clients range from well-known corporate entities to small and medium-sized businesses positioned in government, healthcare, financial services, IT services and e-commerce markets. As an approved QSA company, IT Governance’s comprehensive expertise in PCI, penetration testing and ISO 27001 means that we can help you cost-effectively integrate your information security management system (ISMS) with other security frameworks, enabling you to maintain compliance with the PCI DSS at a fraction of the regular cost of compliance.

Whether it is assistance you need in completing your self-assessment questionnaire (SAQ), conducting a compliance audit, delivering a Report on Compliance or any other requirement, contact us today for a quote to discuss your compliance needs.

PCI-DSS-Environment-Banner (2)