Ken Cheney
Developed by Visa, American Express, Discover Financial Services, and other members of the PCI Security Standards Council, the PCI DSS is a collection of policies, procedures, and practices to protect customer account data. The standard includes specific requirements for strictly controlling access to customer data, authenticating business users, monitoring access, maintaining a secure network, and auditing system resources.
So, this is one tough standard to break, if followed correctly. But therein lies the rub, because according to a new study out from Verizon this week, a lot of companies aren’t completely following the PCI DSS well enough, which is leading to a marked increase in data breaches.
How much o
f an increase? Try 50 percent: breached organizations are 50 percent less likely to be PCI-compliant, the study found. Even worse, “only 22 percent of organizations were PCI compliant at the time of their initial examination,” according to a press release from Verizon this week.
f an increase? Try 50 percent: breached organizations are 50 percent less likely to be PCI-compliant, the study found. Even worse, “only 22 percent of organizations were PCI compliant at the time of their initial examination,” according to a press release from Verizon this week.
The irony in all this is that many of these organizations are almost there, as far as PCI DSS goes:
“While 78 percent of organizations are not compliant initially, the findings show that, on average, organizations meet 81 percent of the procedures required by PCI. In fact, three-quarters of the organizations met at least 70 percent of the testing procedures, meaning that, with more diligence, they have a good chance of becoming compliant,” Verizon’s press statement said.
An average of 81 percent of the procedures were met? That’s certainly within kissing distance.
So what’s the problem? Why can’t organizations close that final gap to full PCI DSS compliance?
It turns out that of the twelve PCI DSS requirements, three turn out to be the ones with which companies have the most trouble: protecting stored data, tracking and monitoring access to network resources and cardholder data, and regularly testing security systems and processes. Unfortunately, these are also the same requirements that, when not met, enable the biggest vulnerabilities to a non-compliant network.
This is not exactly news at Likewise, though the numbers certainly validate something we’ve been saying all along: security compliance is a big part of why it’s important to get authentication to as simple a policy as you can. That’s why using integration tools is so important: it’s not just about convenience, it’s about keeping things locked down. In fact, it’s so important to PCI DSS compliance, we wrote a whitepaper about it.
If you want to learn more about the Verizon study’s findings, including a list of best practices Verizon found while doing the study, check out the full report.
No comments:
Post a Comment