Nearly half of organizations that store, process or transmit card data are still failing to maintain PCI DSS compliance from year to year, reveal new statistics. According to the 2017 Verizon Payment Security Report, the number of enterprises becoming fully compliant is on an upward trend—growing almost five-fold since 2012. Last year, 55.4 percent of organizations interviewed, including those in financial services, IT services, hospitality and retail, were fully PCI DSS compliant—up from 48.4 percent in 2015.
Source: 2017 Verizon Payment Security Report However, despite improving numbers, even companies that pass validation are struggling to maintain compliance for each requirement, with many of them falling out of compliance within a year or less. In fact, the control gap of companies failing their interim assessments has grown worse, says Verizon. In 2016, organizations that failed an interim audit were missing 13 percent of key controls, up from 12.4 percent in 2015. “Many of the security controls that weren’t in place cover fundamental security principles with broad applicability, and their absence could be material to the likelihood of suffering a data breach,” explained Verizon.
Source: 2017 Verizon Payment Security Report What’s more, out of all the payment card data breaches that Verizon investigated between 2010 and 2016 – roughly 300 – not a single organization was fully PCI DSS compliant at the time of the breach. Of the organizations assessed, IT services was the top performing industry, where almost two-thirds (61.3 percent) achieved full compliance. Financial services and hospitality followed closely with 59.1 percent and 50 percent, respectively. Based on full compliance, retail organizations demonstrated the lowest compliance sustainability across all key industries with 42.9 percent. This is not because companies aren’t trying to improve their security, the report suggests: “Often compliance and security failures are not down to controls not existing but them being ineffective.”
“In a PCI DSS context, control effectiveness requires procedures to promote understanding of risk exposure, putting controls in place to address those risks, and effectively pursuing the cardholder data protection objectives. These include effective and efficient processes, reliable data protection, and compliance with policies, regulations and applicable laws.” (2017 Verizon Payment Security Report Executive Summary)
For additional key findings, read the full 2017 Verizon Payment Security report here. To learn more about Tripwire's compliance solutions, click here.