Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 6 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

PCI compliance drops before and after initial audit

by The Gurus
March 12, 2015
in Editor's News
Share on FacebookShare on Twitter

Compliance with payment security features of the PCI data security standard (DSS) dropped significantly in 2014.
According to the 2015 PCI Compliance Report, 80 per cent of businesses fail their interim PCI compliance assessment, while less than a third (28.6 per cent) of companies had maintained full compliance within a year of validation, and no more than 74 per cent had sustained compliance with any individual Requirement.
Based on four years of data and including the results from thousands of PCI assessments conducted by Verizon’s team of PCI Qualified Security Assessors, the PCI Report is based on analysis of PCI Data Security assessment data.
This year’s findings indicate that only 28 percent of companies are still fully DSS-compliant less than a year after being validated. While annual compliance and ongoing control standard maintenance remains low, there is some positive news in the 2015 report. Also, of all the data breaches that the Verizon forensics team has investigated over the last ten years, not a single organisation was PCI DSS compliant at the time of the breach.
In an email to IT Security Guru, Kim Haverblad, Northern Europe professional services manager of the PCI practice at Verizon, said that the reason that less then a third of companies had maintained full compliance within a year of validation was because there has always been a number of areas where PCI DSS has been a challenge when it comes to implementing the controls, such as requirement 11 “Regularly test security systems and process”, which is frequently on our Bottom 20 list. “Often this is due to poor implementation, bad processes and procedures, or lack of awareness; not necessarily due to technology constrains,” he said.
Asked if he felt that the failure to comply led to the multiple payment breaches in 2014, Haverblad said: “While I don’t have any statistics to confirm whether this is a reason for an increase of so many payment breaches in 2014; it’s clearly a contributor if an organisation isn’t fully compliant and has gaps in their security layered model, which after all, PCI DSS does try to implement with the various security domains.
“Once you start to slip in one area it will have an impact on other supporting areas and without proper supporting processes and procedures one can often see negative spiral on compliance in an organisations.”
Of all the data breaches studied, Verizon’s findings clearly show that not a single company was fully PCI-compliant at the time of the breach and the two key areas where organisations fall out of compliance include regularly testing security systems and processes and maintaining firewalls.
Rodolphe Simonetti, managing director for Verizon’s PCI practice, said: “Given the volume and scale of data breaches in the last 12 months make it clear that current techniques are not stopping attackers – in many cases they aren’t even slowing them down. PCI DSS Compliance is must be viewed as part of a comprehensive information security and risk-management strategy. A PCI DSS assessment can uncover important security gaps that should be fixed, but it is no guarantee that the data is safe.”
Luther Martin, chief security architect at HP Security Voltage, said that the PCI standard describes a reasonable baseline of controls that everyone should follow, but how these are implemented is really determined by the particular configuration of a particular set of systems.
“Once those systems evolve, like they have to do to stay useful and relevant, it’s easy to end up with a configuration that isn’t as secure as the previous one,” he said. “When this happens, it’s easy to stop complying with the PCI DSS, as well as many other data security regulations. So the data that appears in Verizon’s recent report that suggests that organisation are having difficulty maintaining PCI DSS compliance shouldn’t come as a surprise to anyone.”
Adam Winn, manager of OPSWAT, said: “PCI-DSS is sometimes considered the poster child of effective an compliance program, and for good reason. Payment processing is a ripe target for attackers, as the payouts can be substantial for a successful attack. There’s a tangible connection to security when a consumer completes a transaction. This type of awareness creates a competitive environment where companies must maintain a high level of security, perceived or actual.
“This is in stark contrast to other industries – specifically healthcare and HIPAA. Consumers often lack any or all choice when it comes to selecting their health care provider, while hospitals and doctors do not advertise the security of their medical records systems, and consumers rarely consider the very real financial impact of medical record theft. For this reason, there’s comparatively less industry and consumer pressure to improve the state of HIPAA technical standards.”

FacebookTweetLinkedIn
Tags: ComplianceData ProtectionPCI
ShareTweetShare
Previous Post

Unsafe mobile apps end up on corporate devices

Next Post

Cyber Security Challenge candidates battle in masterclass final

Recent News

Phone with app store open

$400,000 Fine for Stalkerware App Developer

February 6, 2023
london-skyline-canary-wharf

Ransomware attack halts London trading

February 3, 2023
Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

February 2, 2023
JD Sports admits data breach

JD Sports admits data breach

January 31, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information