Report Finds Companies Remain Lax with PCI Compliance

Five Tips to Prepare Your Business for PCI DSS 3.0

An announcement was made today that victims of the Target breach could get up to $10,000 as part of a class-action settlement.

Okay, chances are slim that the average person affected will see even $10 from Target, let alone $10,000, but this is yet another example of just how costly a data breach can be for a company, and in ways you might not expect.

I point out this settlement because I think this is the tip of the iceberg when it comes to all of the high-profile retail breaches we saw last year. There will be consequences to pay for data breaches involving compromised credit card data. And expect it to get worse before it gets better, if Verizon’s recently released PCI Compliance Report is foreshadowing of the future.

The report found that despite the steady increase in the number of security incidents, four in five companies are still failing when it comes to PCI compliance. This comment that jumped out at me from the report:

Of all the data breaches that our forensics team has investigated over the last 10 years, not a single company has been found to be compliant at the time of the breach — this underscores the importance of PCI DSS compliance.

That’s not to say businesses aren’t trying to be compliant. In fact, the report did find improvement in compliance efforts, as eWeek pointed out:

Verizon found that companies typically met nearly 94 percent of the requirements of the Payment Card Industry’s Data Security Standard during an initial assessment conducted in 2014, up from 85 percent in 2013.

More companies than ever were found in compliance with 11 of the 12 requirements. The only area where companies stumbled is in conducting regular security scans.

But here is the real problem for these companies and PCI compliance: Once they get their certification, they slack off on security and that’s when they become vulnerable. Lazy security attitudes like, “We’ve done what we needed to do, now we don’t have to worry about it,” have repercussions. When the breach happens—because you know at this point it is when, not if, especially if you let security actions slide—you risk losing more than data. You risk losing your customers. As ComputerWeekly explained, people lose faith in a company’s ability to securely manage data after a breach:

One of the biggest negative effects of data breaches is the loss of customer trust; studies show 69% of consumers are less inclined to do business with an organisation that has been breached.

Sustainability is a buzz word with this Verizon report. Becoming PCI compliant is an important first step, but real cybersecurity comes when the company sustains the controls well beyond the assessment period.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba.