By Beth McGarrity
Verizon Business just issued the results of its 2011 Payment Card Industry Compliance Report and the findings are a bit sobering. More than three-quarters of enterprises audited in the past two years for compliance with the Payment Card Industry Data Security Standard failed to pass their initial evaluation.
Of the 100 firms evaluated by accredited Verizon assessment teams, only 21percent were found fully compliant at the completion of their Initial Report on Compliance (IROC) – meaning that 79 percent of the organizations evaluated essentially failed the first test.
In addition, according to Verizon, these findings indicate a pattern of backsliding after organizations achieve compliance. The reasons for this are likely fatigue and complacency. Businesses may think that compliance is not something that needs to be constantly monitored and updated.
The report revealed that the requirements organizations are struggling with the most are:
- 3 – Protect stored cardholder data
- 10 – Track and monitor access
- 11 – Regularly test systems and processes
- 12 – Maintain security policies
When it comes to protecting stored cardholder data and reducing PCI scope, one of the most effective ways to do that is by implementing a tokenization solution. The PCI Council recently stated that “storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS requirements.”
As Jen Mack, director of PCI Consulting Services for Verizon, highlighted in an interview with GovInfoSecurity.com, failure to meet PCI compliance standards can leave organizations vulnerable to breaches. “Are more breaches possible? Honestly, I think it’s a real possibility, unless these organizations get serious,” says Mack.