The more compliant you are with Payment Card Industry Data Security Standards (PCI DSS), the less likely you are to suffer a data breach, is a key takeaway of the Verizon 2015 PCI Compliance Report. Troy Leach, chief technology officer at the Wakefield, Mass.-based PCI Security Standards Council, told Digital Transactions News that security needs to be a part of the culture of the organization — something that has been said for a while and emphasized in Version 3.0 of the PCI DSS, the Council’s updated data-security standard.
Some industry analysts found it surprising that the industry’s most comprehensive annual study of PCI compliance indicated enterprises, on the whole, were actually getting better at achieving full PCI compliance despite over 100 new controls in the latest version PCI DSS.
Verizon’s Initial Report on Compliance (IRoc) found organizations were more likely to be in full compliance with 11 of the 12 requirements in 2014 than they were in 2013. Verizon found that the percentage of fully compliant organizations nearly doubled in 2014 in comparing year-over-year data which is viewed as a positive trend, with companies and end users being more concerned about credit card security with the recent occurrences of many major data breaches.
The downside of the report’s findings is the struggle to remain PCI compliant. It appears that few can sustain it. Verizon found that just 28.6% of organizations remained fully PCI compliant less than a year after a successful PCI validation.
According to Verizon, PCI DSS Requirement 11, which covers the regular testing of security systems and processes, remains a major stumbling block for merchants.
Perhaps the changes that have fostered the most industry discussion are Requirements 11.3 and 11.4, which, in addition to the existing mandated quarterly assessments by an approved scanning vendor, now necessitate that organizations implement a penetration testing methodology to verify the cardholder data environment (CDE) is properly segmented from other networks.
The changes may catch some organizations off-guard, so organizations should strongly consider bringing in trusted Qualified Security Assessors 6 to 9 months prior to their first PCI 3.0 assessment in order to have enough time to do a gap assessment and address any shortcomings that are found.
Additionally, TransFirst® offers useful guidance and information about PCI compliance through the free resources in the TransFirst Learning Center. Here you can gain in-depth knowledge on the following subjects:
- PCI Compliance Overview
- PCI SAQ
- PCI Scan
- PCI Audit
- PCI Compliant Equipment
- PCI Compliance Myths
- MasterCard® Compliance
- Visa® Compliance
When any part of the credit card processing network is noncompliant, all data within it is at risk of being breached. That’s why old, unsupported or outdated payment terminals that do not meet PCI DSS requirements should be replaced. Speak to a TransFirst representative about upgrading your payment equipment to reduce your risk of data breaches and take advantage of the latest payment solutions including EMV® and NFC/contactless mobile payments.
EMV is a registered trademark or trademark of EMVCO LLC in the United States and other countries. www.emvco.com