Verizon Says “Holistic Approach” Needed for PCI Compliance
According to PricewaterhouseCooper, security incidents have grown an average of 66% per year for the last five years running. While breaches at retailers and entertainment companies make headlines, all kinds of organizations are affected.
So a new report from Verizon Enterprise should soon be found in the briefcases and backpacks of company managers around the world. The 2015 Verizon PCI Compliance Report says that only 20% of companies passed their interim PCI compliance test in 2014 – and that this low rate of compliance still represented a nearly 100% increase in interim compliance from the year before.
Recurly Chief Architect and co-founder Isaac Hall makes the stakes clear: “PCI compliance is very hard, and becomes harder than ever as merchants grow.”
Image courtesy Verizon Enterprise
Major areas of compliance failure come from the requirement to test security systems quarterly and the need to regularly test firewalls. Many companies store credit card data in unintended locations, without being aware they have done so, and only find out during compliance checks - or after a data breach - that the accidental storage was occurring.
The Verizon report emphasizes the importance of compliance and says a “holistic approach” is needed. Organizations that are breached are more than one-third more likely than other organizations to be out of compliance with a given requirement.
The Payment Card Industry Data Security Standard (PCI DSS) is not a legal requirement, but a standard created by major credit card companies. A new version, PCI DSS 3.0, is being implemented widely this year. The new version raises security standards and adds more than 100 new controls.
Many requirements of PCI DSS 3.0 are “best practices” until June 1, 2015, at which time all parts of the standard become requirements. Hall says, “PCI compliance is going to become a bigger burden for all merchants, online and offline, with v3.”
Recurly customers reduce the scope of their PCI compliance requirements by using Recurly’s vault to store their customers’ credit card data. By submitting the card data directly to Recurly (or their gateway), and using tokenization, customers ensure that card numbers never enter their environment. This is the single biggest step that a vendor can take to reduce their exposure.
The upcoming wave of PCI DSS 3.0 compliance testing is seen as a crucial marker of progress – or, in some cases, lack of progress – in improving data security in an ever-more-challenging online and brick and mortar security environment. Organizations are investing in security improvements and outsourcing partnerships like never before. Expect a wave of news in the coming months about successes and problems in meeting the new standard.