PCI DSS compliance improving says Verizon

Compliance went up for 11 out of the 12 requirements according to report

Over 60 per cent of companies assessed by Verizon were compliant with one or more Payment Card Industry Data Security Standards (PCI DSS) requirements in 2014 according to the vendor’s latest global report.

There are 12 PCI DSS requirements including firewall maintenance, securing configurations, protecting stored data, protecting data in transit, anti-virus maintenance, secure systems maintenance, access restriction, authentication access, controlling physical access, logging and monitoring, testing security systems and maintaining security policies.

The PCI Compliance Report 2015 found that 71 per cent of companies were compliant with firewall maintenance in 2014, compared to only 44 per cent of companies in 2013.

Securing configurations was met by 67 per cent of companies last year, compared to 42 per cent of companies in 2013.

The biggest improvement was in access restriction, with 89 per cent of companies surveyed meeting this requirement during 2014. This was up from 60 per cent the previous year.

However, testing of security systems experienced a drop. In 2013, 40 per cent of companies were compliant compared with 33 per cent of companies this year.

Commenting on the results, Verizon PCI professional services manager Sébastien Mazas said the decline could be attributed to companies not properly testing the security of their environment.

“It remains one of the main things that is difficult for a company to periodically test the security of the system to make sure all the [PCI DSS] requirements are covered,” he said.

“One of the reasons we have seen is a lack of governance. We have seen companies that forgot to do penetration testing because the guy who was meant to do it left the company.”

Mazas acknowledged that compliance is complicated and requires a business impact analysis.

“The answer is to fully integrate compliance in your organisation’s larger governance, risk and compliance [GRC] strategy and make it part of day-to-day activities. PCI DSS compliance should be part of business as usual – in terms of processes, technology and ensure that all activities in the compliance program are in line with your operational environment and risk profile.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia