Four in five companies fail PCI compliance assessment

Four out of five companies fail their interim Payment Card Industry Data Security Standard (PCI DSS) compliance assessment, leaving them vulnerable to cyberattacks, according to Verizon.

The US telecom giant’s 2015 PCI Compliance Report shows that only 29% of companies are still fully PCI DSS compliant less than a year after being validated.

The report shows signs of improvement, with compliance increasing across 11 of the 12 PCI DSS controls. Around 60% of the companies assessed in 2014 were compliant with any given requirement.

But compliance is still inadequate for many businesses handling payment card transactions, according to Verizon Enterprise Solutions Managing Director Rodolphe Simonetti.

“The three key areas where organisations fall out of compliance are: regularly testing security systems, maintaining secure systems and protecting stored data,” he said.

“Of all the data breaches studied, Verizon’s findings clearly show that not a single company was fully PCI DSS-compliant at the time of the breach.”

The volume and scale of data breaches in the past 12 months shows that current security techniques are not stopping attackers and in many cases aren’t even slowing them down, Simonetti said.

PCI DSS compliance should only be viewed as one part of a comprehensive information security and risk management strategy.

Verizon’s report analyses PCI DSS compliance for companies in more than 30 countries, with a specific focus on companies in the financial services, retail and hospitality sectors.

Image courtesy of Sean MacEntee under CC