Nearly 80 percent of all businesses fail their interim PCI compliance assessment, leaving them vulnerable to cyberattacks, according to Verizon’s 2015 PCI Compliance Report, released today (March 12). With more than two-thirds of all purchases made with payment cards and $20 trillion in credit card transactions expected for 2015, security has become a top priority for organizations that accept credit cards.
In its fourth annual installment, Verizon’s 2015 report examines the state of Payment Card Industry Data Security Standard (PCI DSS) compliance and its correlation to data breaches among global organizations in the financial services, retail, and travel and hospitality industries, among other sectors.
Verizon’s cybersecurity research has consistently found that since 2009 organizations suffering a data breach showed lower than normal compliance with a number of PCI DSS controls.
By reducing the likelihood of being breached, companies can better manage their brand, ensure consumer trust and potentially avoid hefty fees. In fact, 69 percent of all consumers are less inclined to do business with a breached organization.
“Today’s cybersecurity landscape is constantly changing,” said Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions. “Compliance at a point in time isn’t sufficient to protect data. Putting the focus on making compliance sustainable is key. It must be a part of day-to-day activities within an organization’s greater security strategy.”
Key 2015 PCI Findings Overview
This year’s findings indicate that only 29 percent of companies are still fully PCI DSS-compliant less than a year after being validated. While annual compliance and ongoing control standard maintenance remains low, there is a bright spot in the 2015 report.
Almost twice as many companies were validated as compliant during their interim compliance review in 2014 as compared with 2013.
According to Simonetti, “The three key areas where organizations fall out of compliance are: regularly testing security systems, maintaining secure systems and protecting stored data. Of all the data breaches studied, Verizon’s findings clearly show that not a single company was fully PCI DSS-compliant at the time of the breach.”
Additional key findings from the report include:
· Between 2013 and 2014, compliance increased for 11 of the 12 PCI DSS controls or, in other words, 60 percent of companies assessed in 2014 were compliant with any given Requirement.
· The average increase in compliance was 18 percentage points.
· The biggest jump in compliance was in authenticating access (Requirement 8).
· The only area where compliance fell was testing security systems (Requirement 11), from 40 percent to 33 percent.
Another troubling trend from this year’s report is that data security is still inadequate, said Simonetti. The volume and scale of data breaches in the past 12 months is proof that current security techniques are not stopping attackers — in many cases they aren’t even slowing them down. PCI DSS compliance must be viewed as part of a comprehensive information security and risk-management strategy. A PCI DSS assessment can uncover important security gaps that should be fixed, but it is not a guarantee that the data is safe from a cyberattack.
2015 PCI Compliance Report From Verizon Enterprise Solutions
This year’s report covers three years of data and includes the results from PCI assessments conducted by Verizon’s team of PCI Qualified Security Assessors for Fortune 500 and large multinational firms in more than 30 countries.
In the report, Verizon offers an in-depth analysis of each of the 12 PCI requirements, including a look at compliance against the 3.0 standard, with an eye toward the soon-to-be-released 3.1 standard.
The 2015 report also includes details of how and where companies fall out of compliance once achieved, and recommendations on how to make compliance easier, featuring actionable recommendations for enterprises that want to stay PCI compliant.
Similar to Verizon’s Data Breach Investigations Report series, the PCI report is based on actual casework and is the only report of its kind in the industry. The report series analyzes PCI DSS assessment data, with a specific focus on the financial services (30 percent), retail (26 percent) and hospitality (15 percent) industries across the Americas (55 percent), Europe (23 percent) and the Asia-Pacific region (22 percent).
The 2015 PCI report can be downloaded at http://vz.to/PCIR15X .