- - Essentially unchanged from last year, only 21 percent of organizations were fully compliant at the time of their Initial Report on Compliance (IROC). This is interesting, since most were validated to be in compliance during their prior assessment. What causes this erosion over the course of the year?
- - Also similar to our prior report, organizations met an average of 78 percent of all test procedures at the IROC stage, with some variation in compliance scores. For instance, about 20 percent of organizations passed less than half of the DSS requirements, while 60 percent scored above the 80 percent mark.
- - Organizations struggled most with the following PCI requirements: 3 (protect stored cardholder data), 10 (track and monitor access), 11 (regularly test systems and processes), and 12 (maintain security policies).
- - PCI Requirements 4 (encrypt transmissions over public networks), 5 (use and update anti-virus), 7 (restrict access to need-to- know), and 9 (restrict physical access) showed the highest implementation levels
- - Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council—even less so than in the previous year.
- - A mini-study comparing governance practices to the initial compliance score suggests that the way organizations approach compliance significantly factors into their success.
- - Once again, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients.
- - Analysis of the top threat actions leading to the compromise of payment card data continues to exhibit strong coverage within scope of the PCI DSS. For most of them, multiple layers of relevant controls exist across the standard.
- Verizon PCI report finds firms struggling to maintain compliance
- Informe anual de PCI: la seguridad es un proceso