A new Verizon report on the Payment Card Industry and Compliance highlights the importance of compliance as an ongoing initiative, whether it be for PCI compliance or for compliance with other standards or laws.
The report looks at more than 100 PCI DSS assessments conducted by Verizon alongside payment card data breach information. The report found that only 21% of organizations were fully compliant during their initial audit for the year. While companies may reach compliance, they often fail to maintain a state of compliance for their next assessment. Wade Baker, director of Risk Intelligence for Verizon Business, notes:
"This is clearly an event for them rather than something that is a continuous process. We’re seeing lots of scrambling to get things in order for the assessor and that’s not the intent of PCI DSS at all."
Key PCI requirements that organizations struggled the most with include protecting stored cardholder date, tracking and monitoring access, regularly testing systems and processes and maintaining security policies. Many companies are not approaching compliance with a risk-based approach, as supported by the Prioritized Approach laid out by the PCI Security Standards Council, leaving these companies open to high-risk security threats.
Even if your company does not handle PCI, the report highlights the importance of compliance as a continuous effort. The business environment is always changing, with acquisitions, new partnerships, changes in employees and changes in the threat environment. Compliance requires that data security be an ongoing effort.