OUCH. Verizon said in a report this month that nearly 80% of organizations that achieve annual compliance with the PCI Data Security Standard -fail- to maintain that status after passing the audit. That results in being open to potential data breach risks and other security threats. We all know that PCI is an acceptable security baseline and then you build your full security posture on top of that. But not even having PCI compliance in place year-round is asking for trouble.
Verizon reported on the annual PCI compliance assessments that they performed as a service for well over 500 organizations the last few years. The numbers are based on actual compliance data gathered from organizations in the financial services, retail, travel and hospitality sectors and some other markets.
Rodolphe Simonetti, managing director, PCI practice for Verizon Enterprise Solutions said: "More than 82% were compliant with only about eight in 10 PCI requirements at the time of their annual assessments and needed an additional three months or so to close the gaps".
Many organizations see PCI compliance as a hurdle they need to take once a year, and then take their attention off the issue. They treat it as an annual "goal" rather than treating it as part of their continuous risk mitigation.
"It is really a failure to use compliance standards and tools on a day-to-day basis," Simonetti said. Not enough manpower and budget are known challenges to maintain ongoing PCI compliance at many companies, but the security issues that remain unresolved can be disastrous.