Report: Data breaches linked to payment card security noncompliance
Basking Ridge, N.J. A report released late Monday by Verizon Business found that data breaches are linked to a failure to comply with payment card security standards.
In a first-of-its-kind “Verizon Payment Card Industry Compliance Report,” the company examined the state of compliance with the Payment Card Industry Data Security Standard (PCI DSS), which was created in 2006 to protect cardholder data and reduce credit-card fraud. Company investigators found that breached organizations are 50% less likely to be PCI compliant and that only 22% of organizations were PCI compliant at the time of their initial examination.
In addition to assessing the effectiveness of the PCI DSS, the report, conducted in 2008 and 2009, identified which attack methods are most common and provided recommendations for businesses on earning and maintaining PCI compliance.
Other key findings included: While 78% of organizations are not compliant initially, on average, organizations meet 81% of the procedures required by PCI. In fact, three-quarters of the organizations met at least 70% of the testing procedures, meaning that with more diligence, they have a good chance of becoming compliant. Only 11% of organizations met less than half the testing procedures at the time of their initial review.
By reviewing the data against official PCI assessments, Verizon analysts determined that organizations that had a data breach are 50% less likely to be compliant with the standard than PCI customers, indicating that PCI compliance can help prevent data breaches.
According to the report, there is a correlation between data breaches and the difficulties companies face in complying with certain PCI requirements. Of the 12 requirements that comprise the PCI DSS, three of them -- protect stored data, track and monitor access to network resources and cardholder data, and regularly test security systems and processes -- cover areas that are most vulnerable to security breaches. However, those three requirements are also the same ones that companies struggle the most to meet for PCI compliance, according to the report.
By coupling PCI assessment data with the post-breach analysis, Verizon analysts were able to rank the top attack methods used to compromise payment card data: malware and hacking (25%), SQL injections (24%) and exploitation of default or guessable credentials (21%).