According to a report put out by Verizon Communications, four-fifths of companies fail interim compliance assessments for payment card data security.
For brands that handle payment card data – like the type that come from Visa and MasterCard – the Payment Card Industry Data Security Standard (PCI DSS) functions as the essential rules of the road. The standard exists to protect data by trying to ensure, ahead of an attempted breach, that institutions have a method by which they safely store, process and transmit payment information.
However, by reverse engineering from previous data breaches over the last 10 years, Verizon’s forensics team was not able to find a single breached firm that had been in compliance with all 12 PCI requirements at the time their data was lifted.
The goods news out of the report is that between 2013 and 2014, compliance was on the rise in every measurable area except testing security systems. The telecom firm also noted that businesses need to minimize the number of openings into their system though which sensitive data can be extracted through the use of techniques such as network segmentation and data masking.
While most firms are not short on security procedures, Verizon notes, small changes within an organization can often cause systemic effects that damage security in ways that are not immediately obvious.
“We’re in such a constantly changing environment, actually keeping up with the way the architecture and services change, compliance is going to be a snapshot at a point in time,” said Mark Hughes, president of U.K.-based BT Security, part of BT Global Services.
However, given the ever-changing demands of security, coupled with the fact that full compliance often means increased (and increasingly expensive) infrastructure, data security is rarely seen as a revenue generator, and consequently doesn’t always generate maximum enthusiasm.
Moreover, even if an institution nails down PCI compliance, they still have a long ways to go when contemplating keeping all financial data secure.
“If regulations are the beginning and end of your security strategy, you need to rethink your strategy,” a report released Thursday by Forrester Research Inc. says. “Compliance-based strategies have narrow controls that are of limited use to the entire enterprise.”