80 percent of merchants fail PCI DSS compliance assessment

The Verizon’s 2015 PCI Compliance Report reveals that eighty percent of merchants fails interim PCI DSS compliance assessment.

According to a new report by Verizon Communications Inc., nearly 80 percent of global merchants, including retailers, financial institutions, and hospitality firms are not in compliance with card data security standards.

The Reuters agency reported that 5,000 merchants in 30 countries have failed interim tests for the verification of compliance the Payment Card Industry Data Security Standard (PCI DSS) framework. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card brands, the standard aims to increase controls to reduce credit card frauds.

The Verizon Report revealed that only 20 percent were compliant with the Payment Card Industry Data Security Standard (PCI DSS), a concerning data considering the increase of the number of data breached suffered by retailers and other organizations.

The recent massive data breaches at Target and Home Depot demonstrate the importance to implement effective security controls to prevent illegal activities.

By comparing data collected in 2013 and 2014, experts noticed that overall compliance went up by 18 percentage points to 11 out of the 12 payment data security standards.

The adoption of security standard is a necessary step to mitigate the risks of exposure for the card holder, the urgency appears clear if we consider Credit and debit cards represents a significant portion of purchases by value in many countries.

“Credit and debit cards account for two-thirds of purchases by value in the United States. A further $2.17 trillion is spent via electronic methods, such as PayPal and mobile payments — many of which are ultimately backed by card transactions, the report said.” reports the Reuters.

According the report only 29 percent of organizations resulted fully PCI DSS compliant less than a year after being validated.

According to Simonetti, “The three key areas where organizations fall out of compliance are: regularly testing security systems, maintaining secure systems and protecting stored data. Of all the data breaches studied, Verizon’s findings clearly show that not a single company was fully PCI DSS-compliant at the time of the breach.” said Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions.

According to the report, data security represents the principal problem for companies. The number of data breaches in the last year demonstrate that it is still inadequate, countermeasures are not able to mitigate the attacks of criminals organizations.PCI DSS compliance must be viewed as part of a comprehensive information security and risk-management strategy. A PCI DSS assessment can uncover important security gaps that should be fixed, but it is not a guarantee that the data is safe from a

It is important to highlight that PCI DSS compliance is just a part of a security posture for a company, it must be included in a wider vision of cyber security that includes information security and risk-management strategy.

Further key findings from the report include:

• Between 2013 and 2014, compliance increased for 11 of the 12 PCI DSS controls or, in other words, 60 percent of companies assessed in 2014 were compliant with any given Requirement.
• The average increase in compliance was 18 percentage points.
• The biggest jump in compliance was in authenticating access (Requirement 8).
• The only area where compliance fell was testing security systems (Requirement 11), from 40 percent to 33 percent.

The 2015 PCI DSS report can be downloaded at http://vz.to/PCIR15X .

Pierluigi Paganini

(Security Affairs –  PCI DSS, social network)