Credit card firm's security compliance has gaps: Verizon

A majority of companies in the payment card industry (PCI) have failed to meet the Data Security Standard, communications giant Verizon said today.
Verizon's 2014 PCI Compliance Report also revealed that payment card transactions remain a prime target for attackers, and incidents of data breaches have witnessed an upward trend.
"Verizon report has found that too many businesses, after following their annual assessment for meeting PCI DSS, fail to maintain ongoing compliance-putting their operations at an increased risk of data breaches and financial and reputational damages," Verizon Enterprises Solutions Asia-Pacific Head (PCI-DSS) Sabastien Mazas told PTI.
Quoting the Nilson Report, he added that global credit cards fraud had exceeded USD 11 billion in 2012 alone.

Mazas said the PCI report does not prevent breaches, but it provides an in-depth assessment of the security scenario and the threat landscape.
The report findings are based on hundreds of PCI DSS assessments conducted by Verizon's team of PCI qualified security assessors in 2011 through 2013.

This year's report, third in the series, analyses PCI Data Security assessment data with a specific focus on the retail, financial services and hospitality industries across North America, Europe and the Asia-Pacific region.
"The report reveals that in most cases, payment card data breaches are not a failure of security technology or of compliance with the PCI DSS, but rather a failure to implement appropriate compliance and security measures as intended," he said.

Verizon Enterprise Solutions PCI Practice Managing Director Rodolphe Simonetti said many organisations view PCI compliance as a single annual event, but are unaware that the compliance needs to have a 365 day-a-year focus.
"However, there is a bright spot in the report. In 2013, more than 82 per cent of organisations were compliant with at least 80 per cent of the PCI standard at the time of their annual baseline assessment, compared to just 32 per cent in 2012," he added.
Region-wise, Asia-Pacific was the most compliant, Mazas said.
Asia-Pacific region took the top spot (75 per cent), followed by the US with 56 per cent and Europe with 31 per cent in meeting at least 80 per cent of the PCI requirements, he added.

"There were also regional differences due to breach notification laws, varying legal requirements and levels of adoption," Mazas said.