PCI: A Compliance Challenge

Verizon Says Most Merchants Still Fall Short

By , October 6, 2011.
PCI: A Compliance Challenge

O

See Also: Combatting Account Takeover Fraud & Remote Access Trojans

rganizations have started achieving PCI compliance, but it's a struggle for many to maintain, says Jen Mack, director of PCI Consulting Services for Verizon.

Verizon's updated Payment Card Industry Compliance Report shows organizations still face issues such as resource and budget availability when trying to meet compliance with the PCI Data Security Standard, Mack says.

More than 100 organizations participated in the study, ranging from Fortune 50 to small businesses. In the study, Verizon notes that businesses may be suffering from a level of security complacency. "Many take the approach that it's a compliance project versus trying to achieve what I think can be an optimal security posture for the long-term health of the business," Mack says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].

In working toward compliance, Mack feels that a compliance and management program will help. And the focus of an organization shouldn't just be about achieving compliance, but maintaining a level of security that will assist in the long run.

During this interview, Mack discusses:

  • The roles card-issuing and sponsoring financial institutions can play in helping their merchant customers and members attain and maintain PCI compliance;
  • Why a majority of merchants seem complacent when it comes to PCI compliance;
  • Why the risk of ongoing and increasing breaches of cardholder data should be a concern for the payments industry.

Mack oversees Verizon's Global Payment Card Industry Practice as well as development of solutions for acquiring banks and merchants, and other industry verticals. She also is one of the key contributors to the Verizon PCI Compliance Report series. Before joining Verizon, Mack served as the vice president for fraud management solutions at MasterCard Worldwide, where she created the company's first PCI education program to increase adoption of the PCI Data Security Standard. While working at MasterCard, she developed the initial draft of the PCI DSS Prioritized Approach, which launched in 2009 to help organizations identify and reduce risk to cardholder data. She also chaired the PCI Security Standards Council Marketing Working Group, where she created and drove marketing plans related to the council's goals and objectives. Mack led the PCI and Partner Security Program practices at Cybertrust, which was acquired by Verizon in 2007, before joining MasterCard in 2009.

Small Businesses and Compliance

TRACY KITTEN: For the second consecutive year, Verizon has found that many small businesses, despite their acceptance of credit and debit payments, continue to fall short when it comes to compliance with the PCI Data Security Standard. That seems rather shocking given the fact that the standard has been around for nearly a decade. Can you tell us why you think so many small businesses are having a hard time achieving and maintaining PCI compliance?

JEN MACK: The Data Security Standard has been out for just six years now at this point, and I think initially folks had a difficult time achieving compliance because they were trying to understand what the scope of the standard was and what the intent of the requirements, etc. are. But over the last few years, we have seen many organizations be successful in achieving compliance. Now it's really moved towards the struggle to maintain. Many I think have not accepted or moved towards a programmatic approach, so it's really difficult to keep and maintain all of those 250 requirements in place throughout the year.

KITTEN: Verizon's new report includes information about businesses in the U.S., Europe, as well as Asia. Can you provide any market insights or differentiation among the markets when it comes to PCI compliance? What unique challenges or struggles does each of these markets face?

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE UK Labels Facebook A Terrorist 'Haven'

A new U.K. government report accuses social networks of serving as a "safe haven for terrorists,"...

Latest Tweets and Mentions

ARTICLE UK Labels Facebook A Terrorist 'Haven'

A new U.K. government report accuses social networks of serving as a "safe haven for terrorists,"...

The ISMG Network