PCI Compliance Gaps could be Leaving You Open to Data Breaches

Is your business fully PCI compliant? According to recent research by Verizon, the answer to that question is most likely “no.” The vast majority of businesses handling payment card data and sensitive information fail their PCI baseline assessment, and this lack of compliance has a huge effect on the security of payment card information worldwide. 

According to the 2014 PCI Compliance Report by Verizon, only about 11.1% of all businesses dealing with payment card information in 2013 were fully PCI compliant. Even more surprising is that this number represents an increase of 3.6 percentage points from the compliance levels in 2012. This statistic shows the staggering amount of risk that businesses take upon themselves every day by operating with partial PCI compliance.

There are a number of other important takeaways on compliance levels from the report, too. Some of the biggest are: 

  • Most businesses operate at a compliance level of about 85%, meaning that they comply with most of the controls and regulations within the PCI DSS, but not all of them. Approximately 51% are more than halfway compliant, meeting at least 7 of the 12 control standards.
  • Within individual requirements, compliance varies greatly. The most complied-with requirement is Requirement 2, which states that you should not use default passwords on third-party or vendor-supplied equipment. The least complied-with is Requirement 11, which mandates regular penetration testing of security systems. 
  • Organizations that suffer breaches are generally far less compliant than organizations that don’t. There is a clear correlation between becoming more PCI compliant and facing less risk from a data breach.

These points may seem negative, but there is actually an upward trend in businesses becoming more compliant. Verizon estimates that the number of companies compliant with at least 80% of the PCI regulations has gone from 32.1% in 2012 to 82.2% in 2013. This is an enormous jump and it shows that a lot of work has been done to improve security practices, but it also highlights the amount of work left to do.

So what is holding businesses back from achieving full compliance? In many cases, it’s simply the difficulty of assessing, applying, and testing the different standards across large and complex payment networks. For businesses such as Target or Neiman Marcus, who have thousands of different systems within their PCI scope, making sure every system meets every requirement is a huge, if not impossible, undertaking.

Furthermore, the report suggests that many businesses approach PCI as a “once-a-year” event that offers no benefit beyond achieving compliance itself. To these institutions, compliance is not a tool to increase security but an end in and of itself. And while becoming compliant does improve security on the whole, compliance is not the same as security. Enterprises need to keep in mind that, just because they are mostly or entirely compliant, they are not devoid of risk.

The overall implications of imperfect compliance are important to consider. As mentioned above, there is a large correlation between less compliance and more breaches. For instance, in organizations that suffered a breach in 2013, only 12.5% of them had firewalls in place, less than 39% changed default vendor passwords and security settings, and barely 18% protected cardholder data in their networks. Poor practices like these are basically begging to become data breaches.

If you’re a business that handles payment card information or sensitive data, the best thing you can do is start to educate yourself and your employees on the importance of proper security, compliance, and risk. Businesses found in violation of PCI rules can be subject to huge fines – an average of $188 per card number compromised according to the Symantec corporation. A small breach could easily cost you thousands of dollars, and a big one could ruin your entire business.

TokenEx is a Level 1 PCI-certified data security organization that helps you offload your compliance obligations and your risk of a data breach. To learn more about our PCI tokenization services and how they can help your business save time and money, contact one of our representatives today. You can also follow TokenEx on LinkedInFacebook and Twitter to get the latest industry information on tokenizationHIPAA, and data security.

Topic(s): PCI DSS

Keep Up With Our PCI & Privacy Blog