Nearly half of global organizations aren’t maintaining compliance with payment card security standard PCI DSS from one year to the next, according to new stats from Verizon.
The consultancy conducted interviews with financial services, IT services, hospitality and retail organizations to compile its 2017 Verizon Payment Security Report.
Although for the first time over half (55%) were fully compliant at their interim validation, that still leaves nearly half which weren’t.
Hospitality businesses were the worst offenders, with only 43% achieving full PCI DSS compliance, followed by retail (50%) and financial services (59%).
What’s more, on average 13% of key controls were missing, up from 12% last year and significantly increasing their chances of a breach.
Gabriel Leperlier, head of continental Europe advisory services at Verizon, argued that a lack of ongoing knowledge and skills in organizations is affecting their ability to stay compliant.
“Often a project is started, compliance achieved and simply not maintained as the employee with the PCI skill-set leaves the company; then compliance declines and the program has to be restarted all over again. Or alternatively we see unskilled professionals being tasked with maintaining compliance with the PCI standard but they do not have the basic knowledge to achieve this goal,” he told Infosecurity.
“Ongoing training and employee awareness are essential. These must be aligned with the changing aspects of the business and the requirements of the standard.”
These skills shortages can also lead many firms to look at PCI DSS in isolation, rather than in terms of "control lifecycle management", Leperlier added.
He recommended organizations consolidate controls to make them easier to manage, invest in developing in-house expertise, apply a balanced approach that’s robust and resilient, automate as much as possible and to understand the performance of each control is interlinked.
“If there is a problem at the top, this will impact the performance of the controls at the bottom. It is essential to understand this in order to achieve and maintain an effective and sustainable data protection program,” he concluded.