Rodolphe Simonetti, managing director for PCI Consulting Services for Verizon Enterprise Solutions, says there is one common theme connecting all the various companies that have exposed cardholder data (CHD) in data breaches over the past five years: Not a single one was in full compliance with the Payment Card Industry Data Security Standard (PCI DSS) at the time of the breach.
"Compliance needs to be actively maintained. It's a year-round activity. It should be embedded in the normal business process."
— Rodolphe Simonetti, Verizon Enterprise Solutions
"None of the breached companies were still PCI compliant at the time of their breach," Simonetti says. "Many of them were compliant once but were no longer compliant at the time of the breach. Most companies fail to maintain compliance and are no longer compliant just a few weeks or a month after their assessment."
While PCI is no guarantee that you won't experience a data breach, Simonetti says organizations should think of PCI compliance like a seatbelt: It won't prevent you from crashing, but it may well save you if you do.
PCI DSS is a set of international security standards created and maintained by the PCI Security Standards Council (SSC) in an effort to ensure that merchants and service providers appropriately protect CHD, whether from a debit card, credit card, store card or company purchasing card.
PCI DSS 3.0 is the current effective version of the standard. It replaced PCI DSS 2.0, on Jan. 1, 2014 and will be mandatory beginning Jan. 1, 2015. The 2.0 version of the standard consisted of six objectives broken down into 12 requirements and 289 controls and subcontrols that range from encrypting stored data to conducting vulnerability assessments and configuring access controls. PCI DSS 3.0 has more than 400 controls and subcontrols.
Achieving PCI compliance and maintaining it is often seen as an arduous, expensive and time-consuming task.
Verizon Enterprise Solutions PCI Consulting Services recently issued a detailed report on PCI compliance built on quantitative data gathered by Verizon's qualified security assessors (QSAs) while performing baseline assessments on PCI DSS 2.0 compliance between 2011 and 2013. The assessments spanned many industries and countries.
"According to our research, only around one in 10 organizations were fully compliant with PCI DSS 2.0 at the time of their baseline assessment," writes Ciske van Oosten, director of operations for the Verizon PCI Security practice and lead author of the report. "Despite the increasing maturity of the standard and organizations' understanding of it, attaining compliance remains far from easy — and so it should. Protecting cardholder data is important and the threats to it are very real."