Consumer credit card data still at risk due to weak protection
The number of companies who met standards designed to ensure that consumers were not hit with fraudulent credit card debt neither shrank nor grew in 2011, a new study found.
Just 21 percent of organizations surveyed reportedthat they completely met the Payment Card Industry Data Security Standard, a baseline for protecting consumer credit card information so that it's not compromised in a data breach, according to the latest annual Verizon Payment Card Industry Compliance Report. This is considered especially troublesome by security experts because a lack of compliance is often directly linked to data breaches that expose consumers' financial details and cause credit problems.
"We had hoped to see more organizations complying with the PCI standard, since we believe that compliance will ultimately improve the security posture of organizations and in all likelihood lead to fewer breaches," said Wade Baker, director of risk intelligence for Verizon. "By reviewing this report, organizations can see where to focus their efforts and implement our recommendations for helping to accelerate PCI compliance. Our end goal is a safer credit-card environment for consumers and businesses."
Among the most common problems companies had in meeting PCI DSS requirements were in the areas of protecting stored cardholder data, tracking and monitoring access to this information, regularly testing systems and processes and maintaining security policies, the report said. The most common probable reason for these failures is likely that becoming compliant is often difficult, though overconfidence in security systems and complacency may also be to blame. Further, some companies may also have other security considerations or issues on which they are focusing.
Verizon also recommended a number of ways for businesses to become compliant, the report said. For example, it may be a good idea to begin treating compliance as a daily process that can be improved upon every day, and putting a security official in charge of making sure the company is getting up to speed is one way to ensure that progress is being made. It may also be helpful to use a third party to help verify that compliance standards are being met, as there could be conflicts of interest that can arise with self-validation.
Millions of Americans have their personal, medical and financial information exposed in data breaches, resulting in a greater risk for fraud and identity theft to be committed using their credit card information.