News Feature | February 18, 2014

Maintaining PCI Compliance Still Challenges Retailers

Source: Innovative Retail Technologies
ARW Edit Headshot 2

By Anna Rose Welch, Editorial & Community Director, Advancing RNA

Verizon report shows retailers struggle to maintain PCI Security Standards

After all the increased concerns about security lately, the new “Verizon 2014 PCI Compliance Report” reveals some less-than-welcome news about the state of businesses’ compliance. According to the report, a majority of businesses that accept payment cards fail to maintain PCI Security Standards, putting themselves at greater risk for data breaches. This lack of compliance, the report argues, also puts these retailers in danger of damaging their reputations and finances — not to mention their customers’ finances — should a breach occur.

As the report says, payment card data breaches are attributed to a failure to implement the appropriate compliance and security measures. Rodolphe Simonetti from Verizon Enterprise Solutions says that a retailer’s mindset about PCI compliance is part of the issue. Simonetti says “We continue to see many organizations viewing PCI compliance as a single annual event, unaware that compliance needs to have a 365-day-a-year focus.” In particular, security testing, security monitoring, protecting stored sensitive data, and effectively detecting and responding to a compromise are the areas that retailers struggle with the most in terms of compliance. Because anything less than 100 percent compliance is problematic for a company’s reputation and harms consumers’ trust levels, Simonetti says that “organizations need to rethink how they factor in maintaining a PCI-compliant environment, whether it’s devoting more resources or working with a managed security services provider.”

There was some good news that came out of the report, however: initial compliance is beginning to show improvement. In 2013, more than 82 percent of organizations were compliant with at least 80 percent of the PCI standard at the time of the assessment. This is a steep increase from 2012 when only 32 percent of companies were compliant. The Asia-Pacific region was the top region in maintaining at least 80 percent of the PCI compliance. The U.S. came in second, followed by Europe.

Despite the report’s and card associations’ assertions that maintaining PCI compliance is the best way to protect a business from a security breach, there has been some opposition to this argument. In particular, Greg Buzek of IHL Consulting Group argues that the card association’s PCI security requirements, which require a great amount of financial and labor resources, are actually detracting focus from all aspects of security. As Buzek says, “PCI is our industry TSA. It started with good intentions. The reality is it made everything else less secure due to limited resources. Compliance is not security, period.”