Nearly four out of five businesses are failing to comply with the Payment Card Industry Data Security Standard (PCI DSS), revealed Verizon's 2015 PCI Compliance Report.
With more than two-thirds of the total purchases globally being made via payment cards, PCI DSS should be a top priority for organisations that accept credit cards. Such businesses that fail to comply with PCI DSS are increasing their risks to cyberattacks, said Verizon in a press statement. "Of all the data breaches studied, Verizon's findings clearly show that not a single company was fully PCI DSS compliant at the time of the breach," said Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions.
The report also highlighted the need for organisations to treat compliance as an ongoing focus. Only 28 percent of the companies were found to still be fully PCI-DSS-compliant less than a year after being validated. This is alarming since compliance at a point in time isn't sufficient to protect data, said Simonetti. "Compliance must be a part of day-to-day activities within an organisation's greater security strategy," he advised.
Mandated by card brands, the PCI DSS aims to increase controls around the cardholder data to reduce credit card fraud via its exposure. Organisations should thus view PCI DSS compliance as part of a comprehensive information security and risk management strategy as it can uncover security gaps that should be fixed, said Verizon.
To help organisations simplify and increase the return on investment of their PCI DSS compliance programme, Verizon provided the following tips:
1. Appreciate the scale of the task
PCI DSS compliance requires a well-managed programme comprising many projects that must be coordinated to ensure overall success, avoid costly mistakes, achieve positive ROI, and produce a real contribution to security.
To accurately scope the work involved, Verizon advises organisations to conduct a business impact analysis prior to gap analysis and remediation projects. This provides IT leaders with a calculated forecast, which will help them secure a budget for security. Since internal staff might not have the skills and time to execute the work, Verizon also recommends a careful, well-designed outsourcing strategy for both the management of security technologies and business processes.
2. Focus on scoping.
By keeping the scope of PCI DSS progamme small, organisations will be reducing the opportunities for breaches to occur, limiting the damage that a breach can cause, as well as reducing its workload. Reducing scope might also result in the consolidation of systems and restructuring of environments, which will help manage compliance costs.
3. Leverage compliance as an opportunity
According to Verizon, coordinated security programmes can deliver quantifiable returns through greater security posture across the organisations; more effective orchestration of security, governance and compliance requirements; and improved business process and business process management.
Sign up for CIO Asia eNewsletters.