Is PCI Compliance Failing?
Verizon came out with its annual report detailing compliance with voluntary Payment Card Industry(PCI) standards intended to make sure that merchants and financial service providers take steps to prevent data theft. The results are depressing with only 11 percent of surveyed companies fully PCI compliant. Despite the fact that PCI has been around for almost a decade the report concludes that the vast majority of organizations lack the ability to have a sustainable PCI protocol
In addition the report uses its bluntest language to date in acknowledging that many merchants aren’t doing enough to protect against data theft. Specifically the report acknowledges the complaints of critics who complain that only the largest merchants have to submit detailed annual compliance reports under the PCI protocols. As a result “while most merchants are striving to comply with (PCI compliance) in good faith” the lack of validation of these efforts “can be a problem.”
The system just isn’t working either because data theft is just too big a problem, or because voluntary compliance just doesn’t work or a combination of both.
Critics of congressional action on data protection correctly point out that codifying specific requirements could result in a system that doesn’t evolve quick enough to address emerging challenges. Conversely this report makes clear that voluntary efforts don’t go far enough. Merchants must be compelled to implement policies and procedures to identify and prevent data theft Just like credit unions. These policies would only have to be commensurate with a merchant’s size and sophistication.
There is no panacea but commonsense federal action would certainly be a step in the right direction.
Here is a copy of the report.