Only 21% of businesses that store credit and debit card data maintain compliance with Payment Card Industry (PCI) regulations in between their mandatory annual audits. Those findings are based on more than 100 PCI audits--60% of them for U.S. businesses--conducted by Verizon's PCI assessors in 2010.
"The majority of our clients did end up achieving full PCI compliance in the end," said Jennifer Mack, director of global PCI services for Verizon, in an interview. But surprisingly, 79% of businesses rated as PCI-compliant fell out of compliance over the course of the year. In other words, their information security and risk management practices got worse.
Here are the five reasons why businesses' PCI backsliding is putting people's card data at risk.
1. Businesses See PCI As A Burden. PCI isn't exactly a new standard, or complying with it a new requirement. Why aren't more businesses taking it to heart? "Well, it's hard to say, but one common reason is that they have not internalized the fact that PCI DSS is to help them (as well as card brands and banks) with security. It is not to punish them for failing an audit. PCI is seen by many as an 'externality,' not something they 'adopted for themselves,'" said Gartner analyst Anton Chuvakin in an interview.
[Are your Web-connected photocopiers, scanners, and VoIP servers compromising your enterprise security? Learn more at Corporate Espionage's New Friend: Embedded Web Servers.]
2. Merchants Don't Maintain Continuous Compliance. Many businesses don't pursue PCI as a way to improve security, but rather treat it as a compliance obligation. "PCI is still often seen as a 'one time per year' thing, and such an attitude is pretty harmful--but mostly to the merchants themselves, by the way. Organizations keep 'doing it over,' not maintaining it," said Chuvakin.
What's better? Put an effective security program in place, and then use that program to demonstrate compliance with any given regulation, in a so-called continuous compliance approach. But with only 21% of Verizon-audited businesses remaining in compliance between audits, many obviously haven't bought into the concept.
3. Poor Awareness Means Lackluster Effort. Compliance officers--or perhaps senior managers--are failing to educate themselves about PCI, and according to Verizon's research, the greater awareness of PCI found in a business, the greater the actual compliance. "The more aware your organization is of the standard, the more prepared you are for the type of approach you take," said Verizon's Mack.
4. Compliance Checklists Trump Security Posture. To help businesses better comply with PCI, the council in 2009 released the PCI DSS Prioritized Approach to help businesses know which aspects of PCI to address first to most mitigate the risks to cardholder data. But Verizon saw a 10% drop in use of the prioritized approach, and little use of it overall. "Since the Prioritized Approach emphasizes reducing risk to cardholder data, the apparent lack of adoption ... may actually allow weaknesses in areas associated with higher threat likelihood and impact to exist longer than necessary," according to Verizon's report. "This is a case of the end goal getting in the way of pragmatic security."
5. Businesses Not Prepping For PCI 2.0? Businesses that skimp on continuous compliance may soon find themselves called to account as they move to PCI DSS 2.0, with which businesses could have begun demonstrating compliance as of October 2010. "Just in this last quarter, we've seen our clients begin to adopt 2.0," said Mack. "Beginning January 1, there is no other choice."
The latest version of PCI isn't necessarily more stringent, she said, but it does require businesses to provide more evidence of their compliance. "The executive summary and definition of scope has been stepped up, and the detail and evidence requirements have been stepped up," she said. Might that finally help more businesses to get their security and thus PCI-compliance house in order?