Verizon recently completed a payment security audit of 100 businesses , 60% of which were American businesses, that store debit and credit card information. Verizon discovered only a meager 21% of those investigated were found to be compliant with current Payment Card Industry Regulations, according to an article appearing on informaitonweek.com.
There are 12 requirements that must be met to render a business compliant with the Payment Card Industry Data Security Standard. Verizon’s audit revealed that, out of everything, businesses struggled specifically with the following:
*maintaining security policies
*tracking and monitoring access to saved credit card data
*protecting stored cardholder expiration dates
*regularly testing systems and processes
According to Verizon’s research, the amount of awareness of PCI within a business is directly proportional to their level of compliance. Therefore, it seems that not enough employees are being educated about PCI.
“The more aware your organization is of the standard, the more prepared you are for the type of approach you take,” said Jennifer Mack, director of global PCI services for Verizon, in an interview for informationweek.com.
Another finding of Verizon is that a large number of merchants felt overconfident regarding their policies and procedures, which led to threats which demonstrated the highest amount of rise being more or less ignored.
One of the mistakes that small companies tend to make is in assuming their size makes them less likely to be targeted by identity thieves and hackers. The reality is, though, that some two-thirds of attacks on corporate data happened to businesses employing less than 100 people.
Visa officials claimed in an annual report that a startling 95% of credit card breaches occurred within small business environments.
In 2009 the PCI council released a Prioritized Approach in an attempt to aid businesses in determining exactly which aspects of PCI to address first to affect the greatest reduction in risk to cardholder data. However, Verizon’s audit revealed that few businesses were employing the Prioritized Approach.
“Since the Prioritized Approach emphasizes reducing risk to cardholder data, the apparent lack of adoption … may actually allow weaknesses in areas associated with higher threat likelihood and impact to exist longer than necessary,” according to Verizon’s report as per informatinweek.com. “This is a case of the end goal getting in the way of pragmatic security.”
While the latest version of PCI isn’t any stricter, it demands more from businesses as they have to do more to demonstrate that they meet compliance standards.
“The executive summary and definition of scope has been stepped up, and the detail and evidence requirements have been stepped up,” said Mack according to informationweek.com.
“The majority of our clients did end up achieving full PCI compliance in the end. Beginning January 1, there is no other choice.”