Verizon Investigates Breaches; Releases Security Report

On the heels of more potential security breaches being investigated by Verizon, the company is working to help retail companies be better prepared to fight security threats, following the release of its 2014 PCI Compliance Report.

While PCI Compliance alone will not deter all breaches, it will go a long way to mitigating problems and improving the overall perception of the brand, noted Stephen Reynolds, Facilities Manager at Verizon Federal Network Systems, in an interview with Retail TouchPoints.

But many retail organizations struggle to make PCI Compliance a business priority. “We continue to see organizations that view it [PCI Compliance] as a separate project,” Reynolds explained. “They must integrated it into existing security frameworks within the organization. If compliance is done right, then security is done right.”

{loadposition TSHBAIAA022014}

The Verizon research study concluded that just 11.1% of companies are fully compliant when Verizon shows up for the initial compliance assessment, but the majority of companies do fulfill their compliance requirements in time for their annual deadline. “Organizations struggle to sustain compliance in order to prepare for the [annual] assessment,” said Reynolds.

It’s the sustainability aspect of PCI Compliance that Reynolds says most companies need to work on. “When an organization looks at total security in the right way, then compliance is a natural bi-product. Companies need to really align those two together.”

To that end, Verizon offered five recommendations for retail organizations, explained by Reynolds:

1. Don’t underestimate the effort involved in PCI Compliance. “It takes time, money and executive sponsorship. It needs to be viewed as an entire business responsibility. We see organizations fall into a trap where they put the majority of responsibility on IT or Security.”
2. Make compliance sustainable. “There are thousands of compliance tasks an organization needs to complete throughout the year to be sustainable. Unfortunately, we see organizations that continue to focus compliance around the annual assessment versus implementing a year-round program.”

3. Think of compliance in a wider context. “One of the best things an organization can do is simplify. Many compliance standards overlap. By validating once and reporting many times, organizations will realize significant efficiencies.”
4. Leverage compliance as an opportunity. “When implemented correctly, compliance can drive process improvements, consolidate infrastructure, generate equity and customer good will. It should be viewed as an opportunity and not just a burden.”

5. Focus on understanding the scope of the compliance project. “There are clear best practices around how to understand scope: Store less data on fewer systems and get rid of unnecessary data. This not only makes compliance easier but can save significant money in terms of storage and backup costs.”

Offering one final bit of advice, Reynolds urges companies to identify a C-level project owner for PCI Compliance. Then the project can trickle down to other executives in Security Management, Compliance, Internal Audit and IT.