Lapses cause companies to fall out of PCI compliance

Poor day-to-day security practices have caused many companies to fall out of compliance with the wide-ranging Payment Card Industry (PCI) Data Security Standard, according to the latest research from Verizon.

The company's 2011 PCI Compliance report said that just 20 per cent of the organisations surveyed were able to fully meet the requirements when filing their initial report on compliance.

Jen Mack, director of Verizon's global PCI consulting services, told V3 that, after achieving compliance, many companies fail to maintain proper protection on a daily basis.

Mack explained that many firms are left to play catch-up from the early stages of the process to the formal compliance testing when the annual audits for PCI compliance come around.

"It is not a matter of whether these organisations achieve compliance, it is that they are not maintaining their compliance throughout the year," she said.

"It really shows in that a lot of these organisations are not trying to become compliant for the first time."

Verizon found that companies beginning the certification process meet just 78 per cent of total requirements on average.

Encrypting stored customer data, regular testing and monitoring access were among the most common lapses.

Mack said that companies should consider meeting and maintaining PCI compliance as part of a larger security strategy rather than a set goal to be met.

Organisations should assess security and provide compliance on a weekly and daily basis by appointing internal specialists to monitor compliance with the backing of executives.

"I think it comes down to how the organisation looks at data security and what approach they take," Mack said. "Are they just trying for compliance or are they trying for security and achieving compliance along the way?"