For six years in a row, Verizon has reported a steady increase in compliance with the PCI-DSS security standard for payment security. Unfortunately, it’s a trend that has now changed course.
On Sept. 25, Verizon released its 2018 Payment Security Report, revealing a drop in Payment Card Industry Data Security Standard (PCI-DSS) compliance. In the 2018 report, 52.5 percent of organizations were compliant with PCI-DSS, declining from 55.4 percent that was reported last year.
“It’s not a good trend,” Ciske Van Oosten, senior manager of Global Intelligence at Verizon, told eWEEK. “We know that organizations that do not maintain PCI-DSS compliance, those are the ones that get breached.”
Verizon also compiles the annual Data Breach Investigation Report (DBIR) and has correlated the cross-section of organizations that have been breached with those that are required to be PCI-DSS compliant. According to Verizon, over the last 14 years there has not been a single confirmed data breach of an organization that was fully PCI-DSS compliant at the time of its data breach.
The decline in PCI-DSS compliance for the first time since 2012 is something that Van Oosten said Verizon last year predicted would likely happen. PCI-DSS compliance has grown significantly overall since 2013, when Verizon reported that only 11.1 percent of organizations were able to demonstrate compliance sustainability.
Control Gap
PCI-DSS includes a complex set of requirements for organizations to implement different mitigating controls to minimize risk. Van Oosten said the 2018 report is all about control effectiveness because there are more than 400 test procedures in PCI-DSS.
Compliance varies based on geography, with organizations in the Asia-Pacific region reporting the highest level of full PCI-DSS compliance at 77.8 percent. European organizations had a PCI-DSS compliance rate of 46.4 percent, while organizations in the Americas had the poorest showing at 39.7 percent. There is also a variance in PCI-DSS based on industry sector. IT services came out on top with 77.8 percent of organizations having full PCI-DSS compliance. In contrast, retail organizations had a compliance rate of 56.3 percent, and hospitality was only 38.5 percent.
Among the PCI-DSS control gaps highlighted by Van Oosten is Requirement 10.
“Only 8.4 percent of organizations that have a confirmed payment card data breach had Requirement 10 in place, which is a requirement to track and monitor access in place at the time of the breach,” he said. “Resilience, that ability to stay on top of things to monitor, is really key.”
The core message from Verizon’s 2018 Payment Security Report is that organizations need to have a framework and policies in place to sustain the life cycle and management of security controls.
“The problem of data protection is not that it’s a knowledge problem. The knowledge is out there. It’s not a technology failure either,” Van Oosten said. “It’s not that organizations experience data breaches because technology fails; rather, it’s really about proficiency.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.