PCI compliance drops for the first time in the last 6 years – Verizon report

The compliance with the Payment Card Industry Data Security Standard (PCI DSS) has dropped for the first time in six years to 52.5%, according to a Verizon report, writes thepaypers.com.

„About two thirds of organizations (65%) followed at least one other industry standard framework in addition to
PCI DSS. Just under half (47%) said they were taking a unified approach to meet the requirements of multiple
compliance standards.”, Verizon says.

According to the “2018 Payment Security Report„, PCI compliance is decreasing among global businesses, with only 52.4% of organizations maintaining full compliance in 2017, compared to 55.4% in 2016. Rates differ across regions, as companies in the Asia-Pacific region are more likely to achieve full compliance at 77.8%, compared to those based in Europe (46.4%) and the Americas (39.7%). These differences can be attributed to the timing of geographical compliance rollout strategies, cultural appreciation of awards/recognition, or the maturity of IT systems.

„While PCI DSS compliance has been going up year on year, our observations in the field gave us an early warning that this positive trend could be coming to an end. In fact, the drop is probably a little bit less than we expected, with full compliance dropping just under 3 percentage points (pp) to 52.5%.

What’s more concerning is that the control gap, the average volume of individual controls failed—effectively a measure of “how badly” companies failed—went up to 16.4%. This is almost the level we saw back in 2012 when familiarity with PCI DSS was much lower, and full compliance was just 11.1%.”, says the authors of the report.

By business sector, IT services remain on top when it comes to compliance, with over three-quarters of organizations (77.8%) achieving full status. Retail (56.3%) and financial services (47.9%) were significantly ahead of hospitality organizations (38.5%), which demonstrated the lowest compliance sustainability.

With businesses often leveraging PCI DSS compliance efforts to meet the security requirements of data protection regulations, such as the European Data Protection Regulation (GDPR), this gap between the various business sectors that deal with electronic payments on a daily basis is significant.

Rodolphe Simonetti, global managing director for security consulting, Verizon, said that consumers and suppliers alike trust brands to secure their payment data, so the industry must act now to remedy this state of affairs. Verizon urges businesses to reassess their measurement methodologies for PCI control effectiveness, and to concentrate on managing the sustainability of their data protection.