Verizon released its 2010 Payment Card Industry Compliance Report which is based on an analysis done using the data collected from approx 200 organizations. Key findings, as listed on page 3 of the report, include -
- 22% of organizations were validated compliant at the time of their Initial Report on Compliance (IROC). These tended to be year after year repeat clients.
- On average, organizations met 81% of all test procedures defined within PCI DSS at the IROC stage. Naturally,there was some variation around this number but not many (11% of clients) passed less than 50% of tests.
- Organizations struggled most with requirements 10 (track and monitor access), 11 (regularly test systemsand processes), and 3 (protect stored cardholder data).
- Requirements 9 (restrict physical access), 7 (restrict access to need-to-know), and 5 (use and update anti-virus) showed the highest implementation levels.
- Sub-requirement 3.4 (render the Primary Account Number (PAN) unreadable) was met through compensating controls far more often than anyother in the standard.
- Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSSPrioritized Approach published by the PCI Security Standards Council.
- Overall, organizations that suffered a data breach were 50% less likely to be compliant than a normal population of PCI clients.
- All of the top 10 threat actions leading to the compromise of payment card data are well within scope of the PCIDSS. For most of them, multiple layers of relevant controls exist across the standard that mitigate risk posed by these threat actions.
