PCI DSS Compliance Slumps 28% Since 2016

Written by

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) has declined for the third year in a row, with organizations failing in their long-term planning, according to Verizon.

The tech giant compiled its Verizon Business 2020 Payment Security Report based as usual on data gathered by its own PCI DSS qualified security assessors (QSAs) and those of other providers.

It revealed that on average only 27.9% of global organizations maintained full compliance with the PCI DSS, a drop of over 27% since compliance peaked in 2016.

The report highlighted other concerns: just half (52%) of assessed organizations successfully test security systems and processes and unmonitored system access, and around two-thirds monitor access to business-critical systems effectively. Just 71% of financial institutions maintain essential perimeter security controls, Verizon added.

PCI DSS is designed to provide a carrot-and-stick approach to improving data security for merchants that process card payments. On the one hand it offers a best practice framework to help firms mitigate the risk of data breaches, but if they don’t comply and are subsequently hit, large fines could be levied.

The threat is real: 86% of data breaches last year were financially motivated and in the retail vertical, 99% of security incidents related to the acquisition of payment data by attackers, according to the most recent Verizon Data Breach Investigations Report.

Verizon Business president of global enterprise, Sampath Sowmyanarayan, argued that many firms still lack resources and commitment from the top to drive long-term compliance strategies.

“The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information,” he continued.

“Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.”

The report highlighted particular challenges for SMBs in performing what is commonly perceived as an onerous and expensive PCI DSS compliance process.

Maxine Holt, senior research director at Omdia, said the report’s findings should serve as a wake-up call to businesses.

“The alignment of security strategy with organizational strategy is essential for organizations to maintain compliance, in this case with PCI DSS 3.2.1, to provide appropriate levels of payment security,” she said.

“It makes clear that long-term data security and compliance combines the responsibilities of a number of roles, including the chief information security officer, the chief risk officer, and chief compliance officer, which Omdia concurs with.”

What’s hot on Infosecurity Magazine?