NEW YORK (3/12/15)--Eighty percent of global merchants and companies continue to fall short on their card data security efforts, says Verizon Communications. Its new report lends weight to a key topic of discussion--data breaches and who pays for them--as credit union advocates visited the Hill this week during CUNA's Governmental Affairs Conference (GAC) in Washington, D.C.
Overall compliance with the PCI Data Security Standard (PCI DSS) slightly increased 8.9 percentage points from last year, said the Verizon 2015 PCI Compliance Report. However, "four out of five companies are still failing" in compliance, said the report. Verizon Communications surveyed 5,000 global merchants companies and financial institutions for the annual report.
"The volume and scale of data breaches in the last 12 months make it clear that current techniques are not stopping attackers--in many cases they are not even slowing them down," said Verizon. It noted that the standard, PCI DSS assessment can uncover important security gaps that should be fixed but "is not guarantee that your customer's data and your reputation are safe. Of all the data breaches that our forensics team has investigated for the last 10 years, not a single company has been found compliant at the time of the breach," the report said.
Compliance fell the most in the standard that requires companies to regularly test their security systems. Sixty-seven percent or two thirds of organizations did not adequately test the security of all in-scope systems. Only 33% of those surveyed were compliant with testing, compared with 40% last year.
What's more, those who have been compliant in the past easily fell out of compliance. "The news is not good: less than a third (28.6%) of companies were found to be fully compliant less than a year after successful validation," the report's executive summary said. Many companies tend to upgrade security software and hardware just before the annual compliance check, which provides only a "snapshot" of a point in time.
"It is very easy to fall out of compliance if you don't have robust procedures in place for managing and maintaining it," said Verizon, noting that "a compliance assessment can only ever be a snapshot."
"The takeaway is that companies should focus on building a robust framework with security policies, procedures, and testing mechanisms, as this will increase the chance of being compliant--and customers' data being protected--not just at the point of validation but every day of the year."
PCI DSS, which involves 12 security requirements, is "a baseline--an industrywide minimum acceptable standard, not the pinnacle of payment card security," said the report. (See related story: Nussle: Retailers distract from real data protection problem.)
At CUNA's GAC, data breaches at merchants and retailers was a key topic at a breakout session, "Stopping Merchant Data Breaches and the Future of Payments Security." In addition, several legislators and regulators speaking at the GAC addressed the issue of security breaches and who pays for them.
"Retailers are great at posting signs in the stores that say, 'If you break it, you bought it,'" National Credit Union Administration Vice Chair Rick Metsger told GAC attendees. "Well, what is good for the goose is good for the gander. If their security breaks, they should pay the consequences--not you, your members or your credit union."
Rep. Brad Sherman (D-Calif.) told the GAC that retailers should be responsible for their lack of vigilance in securing personal data. "I look forward to working with you and others that those who fail to guard the data are on the hook for costs caused by that lack of vigilance."
Rep. Randy Neugebauer (R-Texas) and Sen. Chuck Grassley (R-Iowa) also spoke to the issue.