GKSD - stock.adobe.com

PCI DSS payment security compliance drops again

Worldwide, barely one-third of companies are maintaining full compliance with the PCI DSS security standard – and the numbers are falling

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) has fallen for the second year in a row to just 36.7% globally, according to new statistics released by network services provider Verizon in its 2019 Payment security report.

Launched by financial and credit services firms American Express, Discover, Mastercard and Visa in 2004, PCI DSS was supposed to help organisations that offer card payment facilities to protect their systems from breaches and thefts of user data.

At launch, it was widely hoped that organisations would be able to achieve effective and, crucially, sustainable compliance by 2009. But, 15 years later, this seems to have slipped down the agenda, with those achieving and maintaining PCI DSS compliance sliding from 52.5% in 2018 to hit a new low.

Organisations in the Asia-Pacific (APAC) region were the most likely to maintain compliance at 69.6%, compared to 48% in Europe, the Middle East and Africa (EMEA) and just 20.4% in the Americas, said Verizon.

“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences,” said Rodolphe Simonetti, global managing director for security consulting at Verizon.

“We see an increasing number of organisations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data. With the latest version of the PCI DSS standard 4.0 launching soon, businesses have an opportunity to turn this trend around by rethinking how they implement and structure their compliance programmes.”

Verizon’s report also incorporated data from its in-house Threat Research Advisory Centre (VTRAC), which found that compliance programmes lacking the proper controls to protect data were completely unsustainable and far more likely to be hit by a cyber attack.

“For years, we have discussed the close correlation between the lack of PCI DSS compliance and cyber breaches,” said Simonetti. “Our data shows that we have never investigated a payment card security data breach for a PCI DSS-compliant organisation. Compliance works.”

Read more about financial security

  • A recognition of the need for digital transformation is twinned with an acceptance that the skills and security is not there to make it happen for quite a few financial services players.
  • Cloud security concerns have ebbed among financial services providers, as the panoply of presenters like Capital One, Discover, Barclays and AQR showed at AWS re:Inforce.
  • The majority of UK financial companies are failing to prevent cyber security incidents, mainly because of employees failing to follow security policies and a lack of security budget, a survey reveals.

Verizon has now produced its own framework to help organisations along the road to achieve PCI DSS compliance.

Its 9-5-4 Compliance Programme Performance Framework brings together a number of previously established compliance methodologies and has been designed to help organisations “achieve repeatable, consistent and predictable outcomes”.

The framework is supposed to provide guidance on mapping, monitoring and reporting the status of sustainability and effectiveness for nine different factors – control environment, control design, control risk, control robustness, control resilience, lifecycle management, performance management, maturity measurement and self-assessment – across four essential areas of assurance – individual accountability, risk management and compliance teams, internal audit, and external audit and regulators.

“Many organisations spend a lot of time and money creating data protection compliance programmes, but often these are ineffective – looking good on paper, but not able to withstand the scrutiny of a professional security assessment,” said Simonetti.

“We still see CISOs focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes.”

Read more on Regulatory compliance and standard requirements