For the first time in six years, full compliance with the Payment Card Industry Data Security Standard (PCI DSS) has dropped among businesses worldwide, slipping down to 52.5% in 2017 from 55.4% a year prior, according to the Verizon 2018 Payment Security Report.
From 2010-2016, Verizon noted improvements in PCI DSS compliance across companies. Poor compliance could mean that businesses are more vulnerable to cybercrime, as it may be easier for hackers to steal credit and debit card data from their systems.
There were some differences in compliance noted both regionally and across industries. For example, companies in the Asia-Pacific region were 77.8% fully compliant, while those in the Americas were only 39.7% compliant, the report said. This could be due to maturity of IT systems, rollout strategies, and cultural differences.
SEE: Information security policy (Tech Pro Research)
IT was the most compliant business sector, at 77.8% compliant. Retail was the second-most compliant at 56.3%, and financial services rounded out the top three at 47.9%. Hospitality had the lowest compliance sustainability, at 38.5%.
“PCI Compliance standards are slipping across global businesses and this simply can’t continue”, Verizon’s Rodolphe Simonetti said in a press release. “Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs. We urge businesses to reassess their measurement methodologies for PCI control effectiveness, and to concentrate on managing the sustainability of their data protection.”
To improve compliance, Verizon’s recommends the following nine factors of control effectiveness and sustainability:
- Control Environment
- Control Design
- Control Risk
- Control Robustness
- Control Resilience
- Control Lifecycle Management
- Performance Management
- Maturity Measurement
“Data-sharing and cross-industry collaboration is vital to understand the evolving threat landscape and to progress global payment security,” PCI Security Standards Council CTO Troy Leach said in the release. “As evident in this report, organizations continue to face challenges maintaining high-levels of security and demonstrating ongoing compliance in rapidly changing environments.”
The big takeaways for tech leaders:
- Full PCI DSS compliance has dropped for the first time in six years, down to 52.5% of companies globally. — Verizon, 2018
- IT was the most compliant business sector, at 77.8% compliant. — Verizon, 2018