Many companies in the payments chain failing to meet security standards

John Kavanagh
Four out of five companies failed to meet aspects of their compliance obligations under the Payment Card Industry Security Standards Council's data security standard.

Verizon has released its annual review of PCI compliance, reporting that while the number of companies applying for validation under the PCI SSC's data security standard increased substantially last year, the number failing to meet compliance is also large.

The PCI SSC is a global self-regulatory body that sets standards and technical requirements for payments systems. American Express, Visa, MasterCard, Discover Financial Services and JCB International were its founding members.

Verizon found that breached companies were less likely to be compliant with PCI standards. "There is a correlation between not being PCI DSS compliant and being more susceptible to a data breach involving payment card information," it said.

"While compliance is no guarantee that you won't be breached, it should reduce the likelihood."

Verizon's view of PCI standards is that they are a good baseline but they have deficiencies, which include over-reliance on prevention and not enough attention to detecting attacks, as well as a lack of focus on mitigating damage.

"The volume and scale of data breaches in 2014 makes it clear that current techniques are not stopping attackers," it said.

Verizon said many companies that achieved compliance did not maintain their validation. Only 28.6 per cent of companies were still fully compliant less than a year after a successful validation.

It said many companies saw compliance as a cost and an administrative burden and were not prepared to acknowledge the benefits, which include avoidance of reputational damage, customer notification and card reissuance costs, and investigation and remediation costs.