The Payment Card Industry’s Data Security Standard (PCI DSS) has matured in the six years since it was enacted, but businesses are failing to maintain their compliance with the security standard.
In a report (PDF) released Wednesday, Verizon Business analyzed more than 100 PCI compliance cases conducted in the last year. Its basic finding: The vast majority of firms are unable to remain compliant with the 12 requirements of the standard over the course of a year. Only 21 percent of firms stayed compliant with the Data Security Standards between their last successful assessment and their checkup a year later, the report found.
“It is no longer the case that PCI DSS is too hard [or] we can’t get there,” says Jen Mack, director of global PCI services for Verizon Business. “We see many organizations do successful implementations, but we see a backslide as the year progresses, and then they end out of compliance for the rest of the year.”
Firms had problems with protecting card holder data, tracking and monitoring access to sensitive data, and regularly testing system security and processes, the report states. These are PCI DSS requirements 3, 10, and 11, respectively.
The results are similar to Verizon’s first report in 2010, which found that 22 percent of firms failed their follow-up assessment. Yet, there are some significant differences. Verizon has prioritized the milestones that companies need to reach to comply with PCI DSS, putting first the steps that reduce risk the most. The company found that fewer businesses reached each milestone among the current year’s case data.
Overall, the problem is that companies are treating PCI compliance as a goal to reach and not a state to maintain, says Mack.
“Most people are looking at this as a project, rather than as a program,” she says. “The people that are most successful are the people who integrate PCI in with their processes.”
The relationship of PCI compliance to actual security has been debated. However, many security experts argue that the regime is a good starting point for implementing a data protection process within businesses. In its annual Data Breach Investigations Report, Verizon found that 89 percent of companies that suffered a breach were out of compliance with the standard.
This article, “Businesses failing to maintain data security,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.