Firms Continue To Struggle with Payment-Card Security Compliance

In 2004, in response to increasing payment-card breaches and related fraud, the major payment-card brands banded together to develop the Payment Card Industry Data Security Standard (PCI-DSS) — a 12-requirement standard governing the handling of payment-card data. All merchants and other organizations that store, process and transmit cardholder data are obligated to comply with PCI-DSS.

Last year, Verizon issued its first report on PCI-DSS compliance among organizations subject to the standard. The results of the follow-up report are just out, and they're not encouraging. For the second year in a row, the report found a very low rate of PCI-DSS compliance. According to the 2011 report, only 21% of organizations were fully compliant at the time of their initial audit. On average, organizations were compliant with 78% of the requirements. Some 20% passed less than half of the requirements.

Organizations had the most trouble complying with these PCI requirements: 3 (protect stored cardholder data), 10 (track and monitor access), 11 (regularly test systems and processes) and 12 (maintain security policies). The report concluded that organizations that suffered data breaches were far less likely to be PCI-DSS compliant than other organizations.

A data breach can be disastrous for any organization: It can lose clients, suffer damage to its reputation, incur huge recovery costs or even go out of business. Training employees to understand and comply with PCI-DSS standards is a worthwhile investment for any organization that handles payment-card data. 

Posted by Claudia Westin on October 14, 2011 Claudia Westin is a Managing Legal Editor at WeComply, where she writes and edits a variety of interactive compliance training materials and courses. Before joining WeComply, Claudia practiced law for 15 years in the public and private sectors. She has experience as a litigator, as in-house counsel covering court administration matters for the State of California, and as an instructor and author of undergraduate business law and environmental law/policy courses. Claudia holds a J.D. from the University of Virginia School of Law.