Numerous warnings have gone out to companies in highly regulated industries such as retail, finance and healthcare. Despite the growing threat of potential breaches, a recent study found lapses in data security that could put companies and their customers at risk. A recent Security Info Watch article highlighted the research, which found 55 percent of organizations in the financial, hospitality and retail industries stored unecrypted payment card data.

The number increases to 70 percent when only considering merchants, which represents a severe compliance risk. Payment Card Industry standards require vendors that manage or store credit card numbers and other information to use data encryption software. According to the news source, more than 10 percent of vendors surveyed left magnetic stripe information unencrypted while stored on the corporate network. This represents another potential threat, since attackers can use this data to commit credit card fraud.

The potential risks can quickly escalate for any business, particularly when a data breach does occur. On top of hefty compliance fines, organizations that are victimized by attackers often suffer from reputational damage in the aftermath of an incident. For this reason, it is critical that business leaders and employees stay aware of security best practices and compliance guidelines.

The path to PCI compliance
The Payment Card Industry compliance standards cover a range of responsibilities, including the use of data encryption software, vulnerability scans, penetration testing and web application testing. TechTarget contributor Mike Chapple recently suggested developing a security framework that allows for ongoing evaluations that measure the company's practices against regulations.

"It's a good idea to plan an annual calendar of assessments and tests so that the company doesn't miss a deadline or wind up rushing to complete all of its PCI validation requirements at the end of the year," Chapple wrote. "Finally, be sure to retain documentation of all of the company's assessments so that its compliance can be demonstrated to an auditor."

Reporting and documentation are critical and can eliminate a lot of headaches when it comes time for the audit. As Chapple noted, any merchant that handles one million or more total transactions per year is required to submit a compliance validation report to their merchant bank annually. The level of data security needed varies depending on the size of the merchant and how many transactions it processes. For example, vendors with more than six million transactions per year are required to have a yearly independent audit, while smaller merchants may conduct an assessment internally. In either case, PCI standards require file encryption software for credit card numbers and other sensitive information such as magnetic stripe data.