"I have never investigated a data breach where the company concerned was fully compliant with PCI DSS," said Matthijs van der Wel, head of the EMEA forensics team at Verizon Business.
Despite the benefits and the need for compliance, only 22% of over 200 organizations assessed in 2008 and 2009 were up to standard, according to the latest study on PCI DSS compliance by Verizon Business.
The PCI requirements to protect stored data, track and monitor access to network resources and cardholder data, and regularly test security systems, offer the most protection from data breaches.
But, these are the three requirements that businesses find most difficult to achieve, the study found.
"These sound easy, but are difficult to do, especially in legacy environments that focus on protecting the perimeter and are based on the assumption that anyone inside the network is trusted," said Van der Wel.
There are some things that are easier to do, he said, that would immediately improve most organizations' data protection capability.
"We advise organizations to store only the personal data that is required and only for as long as necessary," said Van der Wel.
Many organizations think data is power, but the more personal data they store, the bigger targets they become for hackers, he said.
"With greater data, comes greater responsibility," he added.
Keeping systems that process personal data separate from other data systems is also a simple way of reducing the risk of data breaches, he said, by limiting their exposure.
"I am always shocked at how often the most basic of security controls are not in place," said Van der Wel.
Another common failing, he noted, is that many organizations consider PCI DSS compliance as a once off that they prepare for the week before an assessment, rather than an ongoing process that requires continual attention.
This story was first published by Computer Weekly