Compliance with security regulations doesn't always mean that an organization won't be breached, but according to Verizon, compliance does often lead to better security outcomes. That's one of the high-level findings in the Verizon 2017 Payment Security Report released Aug. 31, providing insight into the current state of Payment Card Industry Data Security Standard (PCI-DSS) compliance.
"What happened for the first time with this report is that the majority of companies were able to maintain PCI-DSS compliance," Rodolphe Simonetti, global managing director for security consulting at Verizon told eWEEK.
According to the report, 55.4 percent of organizations analyzed by Verizon were found to still be PCI-DSS compliant one year after their initial assessment. Back in 2015, Verizon found that only 48.4 percent of organizations remained compliant after one year. On average, companies fall out of compliance within 9 months. A key challenge for PCI-DSS and other compliance regulations is that organizations often see compliance as a point-in-time exercise and are unable to maintain compliance in a continuous manner.
Simonetti said that the fact that over half of organizations were able to maintain PCI-DSS compliance indicates a level of maturity about security processes and controls. PCI-DSS is a compliance methodology that is intended to help improve the security of payment systems. The PCI-DSS 3.2 compliance specification includes over 900 security controls spread across 12 different top-level requirements for risk mitigation.
Of the 12 requirements, Simonetti said that there are four in particular where organizations tend to have challenges and fall out of compliance. Those requirements include R11 for ongoing security testing, R10 for security monitoring, R3 for security data at rest with encryption and R2 which outlines a need for securing systems.
As to why organizations fall out of compliance, Simonetti said that in his experience many organizations focus too much time on selecting what they consider to be the best technology. He added that rather than choosing what is perceived to be a best-of-breed security technology, organizations would likely be better served by choosing security technologies that they can operate properly.
Verizon also looked at the link between PCI-DSS compliance and security breaches to see if compliance was reducing risk.
"Compliance doesn't automatically mean security, but what we found is that a lack of compliance means you are probably not secure," Simonetti said.
Simonetti said that looking back over the past 11 years of forensic breach investigations, Verizon found that not a single company was PCI compliant at the time of a breach. Furthermore 89 percent of breached companies were never compliant, while 11 percent were PCI compliant at one point, but not at the time of the breach.
"PCI compliance, while not the best security level you can reach, is good enough, to avoid being breached," Simonetti said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.