News Feature | February 6, 2015

PCI Compliance Not Enough For Retailers

Source: Innovative Retail Technologies
Christine Kern

By Christine Kern, contributing writer

Sneak peak at  2015 PCI Report reveals many companies fall out of compliance once it is achieved.

A sneak peak of  the 2015 PCI Report from Verizon Enterprise Solutions , provided from its upcoming at the company’s annual NRF event for press and clients on January 12, revealed that becoming PCI compliant is not enough; companies need to maintain compliance.  Data shows that many companies fall out of compliance once it has been initially achieved.

National Retail Federation Big Show Attendees had the opportunity to learn initial findings from the report,  due out this month, which correlates Payment Card Industry (PCI) Data Security Standard compliance with data breaches occurring at retail businesses or restaurants. 

The panel, held during the National Retail Federation “Retail's Big Show 2015” also included Greg Buzek, founder and president of IHL Group, and Marianne, EVP and global head of products and innovation at Elavon, in a wide-ranging discussion that covered the EMV mandate — including where retailers should be by October 2015 and the security challenges they face.

Business Solutions Magazine reported that the study found that just one-third of companies that had achieved PCI DSS compliance were able to maintain it in the following year, and in cases of data breaches studied, not one company was fully PCI-compliant when the breach occurred. 

“Today’s cybersecurity landscape is changing,” said Rodolphe Simonetti, director of compliance and governance professional services for Verizon Enterprise Solutions. “As a result, organizations need to change the way they approach security. Businesses need to adopt a model that we call ‘resilience’ which means they must accept they can never be fully secure. There is no silver bullet for data protection.”

The study also found that organizations regularly fall out of compliance in the areas of routine testing of security systems and firewall maintenance. Simonetti told SCMagazine.com that only “28.6 percent of companies were PCI compliant after one year,” indicating that many organizations “are seeing compliance as a standalone exercise.”

Likening the process to schools prepping for standardized testing, Simonetti explained to SCMagazine.com that many companies train their focus on “being ready for an assessment but not applying it to day to day” operations. This is a mistake, he argued, because “Compliance is an ongoing process.”

Among Simonetti’s recommendations for organizations regarding achieving – and maintaining – compliance, is the fact that they must look at security holistically.  Enterprises should thus accept that breaches can happen; establish safeguards to help prevent attacks; and be prepared to respond with actions that will mitigate the impact of breaches, restore defenses, and resume normal operations as fast as possible.

The 2015 PIC report covers three years of data and includes results from thousands of PCI assessments conducted by a team of PCI Qualified Security Assessors for Fortune 500 and large multinational firms representing more than 30 countries.

The report examines each of the 12 PCI requirements in depth, as well as examining the relationship between compliance and security, and the largest gaps.  The 2014 PCI Report is still available and may be accessed at www.verizonenterprise.com/pcireport/2014/.