SOURCE: VeriSign, Inc.

September 17, 2007 09:00 ET

New Report Pinpoints Challenges Companies Face in Protecting Sensitive Consumer Data

With PCI Compliance Penalty Deadline Looming, VeriSign Finds 53 Percent of Companies Assessed Fall Short of Mandatory Security Standards

MOUNTAIN VIEW, CA--(Marketwire - September 17, 2007) - As large companies face a Sept. 30 Payment Card Industry (PCI) deadline to lock down their networks and customer data, a new report reveals where many are falling short of mandatory security standards. In fact, more than half of the companies profiled in the report still do not sufficiently protect sensitive consumer information.

The report, published by VeriSign, Inc. (NASDAQ: VRSN), the leading provider of digital infrastructure for the networked world, found that 53 percent of enterprise-class companies do not meet the data security standards established by the PCI. The report also lists the top 10 reasons companies fail PCI data security audits. PCI security standards apply to all companies that store, process and transmit credit and debit card payment information.

VeriSign's Global Security Consulting team, which authored the report, found that companies are struggling to comply with PCI standards in several key areas, including regular testing, securing applications, logging and protecting data. In fact, regular testing was the chief failure point for audited companies, with 48 percent failing that requirement.

VeriSign based its report findings on 60 recent PCI audits involving 50 different large companies. Unless they pass the audits, which evaluate how well companies comply with more than 230 data security requirements, the firms may face stiff fines or risk losing their ability to process credit card transactions. The Sept. 30 compliance validation deadline to avoid fines and/or higher interchange fees was set for all merchants and service providers by VISA USA as part of their Compliance Acceleration Program(1).

"To live up to the trust of their customers, companies in the payment card industry need to implement enterprise-wide security processes and controls to protect card data and other sensitive customer information," said John Pescatore, vice president, Gartner Inc. "The key to making PCI DSS compliance less cumbersome and less complex is to build security into ongoing operations."

"More Lessons Learned -- Practical Tips for Avoiding Payment Card Industry (PCI) Audit Failure" updates findings published last year. In addition to itemizing where companies fail PCI audits, the white paper offers strategic and tactical advice that card issuers, merchants and service providers can use today as the PCI deadline nears. The paper is available at:

"This white paper shows that, despite continued efforts on the part of many companies, PCI compliance remains an elusive target," said Branden R. Williams, director, PCI Practice at VeriSign. "The fact is, PCI compliance is tough for some businesses, and trends such as an increasing reliance on wireless networks are only making it tougher. This paper offers a lifeline to organizations scrambling to meet these standards, and provides actionable insights derived from VeriSign's experience in helping companies achieve compliance at their first assessment and every assessment thereafter."

VeriSign's 2007 report shows some signs of improvement over time: Although VeriSign found 53 percent of assessed companies failing at least one of the PCI standard's security requirements, that's still an improvement over the 73 percent failure rate reported last year. However, the ever-shifting landscape of data security caused many enterprises to fail requirements that they had passed the year before.


VeriSign's Global Security Consulting directly supports the VeriSign Layered Security Solution, which addresses the interdependencies of each aspect of a company's security effort. For instance, an organization can have strong policies and state-of-the-art technology, but it must also regularly test its network, firewalls, and applications to ensure that these security measures are working properly and data is secure. VeriSign's PCI compliance services include consulting services for assessment and remediation advice and programs, along with network security and authentication services to meet ongoing compliance requirements. To read a VeriSign PCI compliance services end-user case study, go to

About VeriSign

VeriSign, Inc. (NASDAQ: VRSN), operates digital infrastructure services that enable and protect billions of interactions every day across the world's voice, video and data networks. Additional news and information about the company is available at

Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These statements involve risks and uncertainties that could cause VeriSign's actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as the inability of VeriSign to successfully develop and market new products and services, and implement price increases, and customer acceptance of any new products, services, or price increases, including the price increases mentioned herein; the possibility that VeriSign's announced new products, services and price increases may not result in additional customers, profits or revenues; and increased competition. More information about potential factors that could affect the company's business and financial results is included in VeriSign's filings with the Securities and Exchange Commission, including in the company's Annual Report on Form 10-K for the year ended December 31, 2006 and quarterly reports on Form 10-Q and current reports on Form 8-K. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this press release.