The volume of security incidents is up an average of 66 percent a year since 2009.

Failure to Maintain PCI Compliance Exposes Online Retailers to Security Breaches


This article originally appeared at The WHIR

Online retailers are struggling with an increased number of security breaches. According to the 2015 PCI Compliance Report released by Verizon in March, 80 percent of businesses fail interim PCI compliance assessment.

The study examined PCI DSS assessment data focusing on the Americas, Europe and APAC with industries including financial services, retail and hospitality.

With the volume of security incidents up an average of 66 percent a year since 2009, it’s important for online retailers to be aware of the significant challenges they are facing.

Mobile ecommerce is also growing very quickly but not currently subject to the same PCI standards as traditional ecommerce. Canadians experienced agrowth rate in mobile ecommerce of about 11 percent while China’s Alipay reported growth of over 30 percent.

“Mobile solutions may collect, store and use payment data in different ways and different locations,” Verizon’s report said. “And although payment applications developed for use on customer mobile devices are not currently subject to PCI PA-DSS requirements, they still need to comply with the secure application development controls in PCI DSS.

According to the report, “[w]ith more than two-thirds of all purchases made with payment cards and $20 trillion in credit card transactions expected for 2015, security has become a top priority for organizations that accept credit cards.”

This increase in security breaches is evidenced by several high profile cases within the last year. Large retailers Home Depot, Kmart and Dairy Queen all experienced hacks exposing sensitive customer credit card information.

“Another troubling trend from this year’s report is that data security is still inadequate,” said Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions. “The volume and scale of data breaches in the past 12 months is proof that current security techniques are not stopping attackers — in many cases they aren’t even slowing them down. PCI DSS compliance must be viewed as part of a comprehensive information security and risk-management strategy.”

Even after initially passing PCI DSS compliance only 29 percent of companies remain so less than a year after first being validated. However, almost twice as many companies were validated as compliant in 2014 compared to 2013.

“The three key areas where organizations fall out of compliance are: regularly testing security systems, maintaining secure systems and protecting stored data,” said Simonetti. “Of all the data breaches studied, Verizon’s findings clearly show that not a single company was fully PCI DSS-compliant at the time of the breach.”

The latest version of the PCI DSS and PA-DSS requirements became effective on January 1, 2015.

This first ran at

Get Daily Email News from DCK!
Subscribe now and get our special report, "The World's Most Unique Data Centers."

Enter your email to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.

About the Author

Cheryl Kemp is the Content Director for the WHIR and HostingCon. At the WHIR she is responsible for writing and developing content, managing social media communities, and photography and videography. At HostingCon she is responsible for recruiting and coordinating advisory boards, as well as managing the conference program development process and speaker selection. She attended the University of Cincinnati and holds a degree in Psychology.

Add Your Comments

  • (will not be published)