It’s official: PCI DSS 3.0 is mandatory. The Jan. 1 deadline to adopt the new standards has passed.
Even though merchants were allowed to follow the older 2.0 rules throughout 2014, many still had trouble with compliance, according to a sneak preview of Verizon’s 2015 PCI Compliance Report.
Verizon previewed its annual report at the National Retail Federation Conference this month in New York.
A few highlights:
- Many companies achieve compliance only for a short period. Fewer than 33% were still compliant less than 12 months later.
- Of the data breaches Verizon looked at, not a single company was fully compliant at the time of the breach.
Top major areas where organizations fail to meet PCI compliance:
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 11: Regularly test security systems and processes
Verizon’s report, due out in February, will examine compliance with the Payment Card Industry Data Security Standard and its correlation to data breaches. It’s expected to cover three years of data and have results from thousands of PCI assessments by Verizon’s team.
We’re looking forward to the report and will be sure to mine it for insights and show you the highlights once it’s published.