Fewer than a third of retailers stay compliant between audits

Only 28.6 percent of retailers remain compliant during the time between compliance assessments, according to a preview of the Verizon's 2015 PCI Report.

"We see compliance going down day by day, month by month, after the assessment," said Rodolphe Simonetti, managing director for Verizon's compliance consulting. "Compliance is supposed to be supporting security, not just a yearly checklist."

The Payment Card Industry Data Security Standard has 12 main requirements. The most likely to go unmet between audits? The requirement to maintain a firewall and making sure that there is a strong network protection later, said Simonetti.

Not every company drops the ball on this one, he added. But the majority do.

"You would expect that companies would test their systems on a regular basis," he said. "But it looks like they're testing their systems on an annual basis. It was really a surprise."

For example, he said, retailers are supposed to regularly review the rules for their firewalls to ensure that they are strong enough. But during some parts of the year, other things come first.

"Like when they get ready for Black Friday, security becomes less of a priority," he said.

Simonetti said he regularly hears people say that compliance doesn't support security, that it's an occasional project. It's not part of the ongoing security operations.

"But what we see from a lot of customers is that a compliance audit often uncovers a lot of important security gaps," he said. "If you use it properly, it will definitely aid in supporting security. But if you think of it as a yearly exercise, then it does not support security."

One sign that this attitude needs to change? Out of hundreds of companies that were breached over the last five years, not a single one has been fully compliant at the time of the breach.

The full 2015 PCI Report will be released at the end of February and will include the results from thousands of PCI assessments conducted by Verizon for mostly Fortune 500 and large multinational firms in more than 30 countries.

This is the first year that the report will look at the DSS 3.0 standard, which specifically addresses the issue of compliance as a continuous process rather than a one-time review.

Looking beyond breach prevention, Simonetti said that companies also need to be more prepared for when a breach does happen.

"A lot of companies focus solely on security and not on resilience," he said. "We still see too many companies not being ready in case of a breach. If something happens, they are not ready to react."

An appropriate and immediate response, however, can significantly reduce the effects of a breach, he said.

But many companies are very slow to respond, he said.

"Sometimes it took weeks before they even noticed they were breached," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsverizonsoftwaredata protection

More about Verizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts