Verizon has some good news and some bad news about organizations’ compliance with PCI DSS.
In its 2017 “Payment Security Report,” Verizon analyzed the “compliance patterns and control failures” of organizations subject to PCI DSS. The report also pulled information from Verizon’s annual “Data Breach Investigations Report” and looked at the correlation between the findings of each.
The good news in the report is that more companies reached full compliance with PCI DSS in 2016 than in 2015.
“For the first time, more than half (55.4%) of companies we assessed were fully compliant at interim validation, compared to 48.4% in 2015,” Verizon wrote. “But that means that nearly half of stores, hotels, restaurants, practices and other businesses that take card payments are still failing to maintain compliance from year to year.”
While having more than half of organizations compliant is a positive trend, Verizon also noted that compliance doesn’t necessarily mean security, particularly because organizations tend to “lose focus” once they achieve compliance. The trick, according to the report, is not to focus purely on meeting the compliance requirements, but to “make sustainability and resilience part of their larger security program.”
The bad news is that those organizations not fully in compliance with PCI DSS are missing the mark by a wider margin than before. The companies that failed their compliance assessments in 2015 were missing 12.4% of the required controls, and in 2016, 13% of the controls were missing.
“Many of the security controls that weren’t in place cover fundamental security principles with broad applicability, and their absence could be material to the likelihood of suffering a data breach,” said Verizon.
However, the report said that this isn’t necessarily happening because companies aren’t putting effort into security, but one factor is that the controls they do implement are ineffective. This can be due to controls losing effectiveness over time or to controls that don’t adapt to other changes in the environment. Either way, the problem is significant.
“Over the past five years we’ve analyzed PCI DSS compliance, the proportion of companies achieving 100% has gone up almost fivefold,” Verizon said. “Despite this general improvement, the control gap of companies failing their interim assessment has actually grown worse. Looking at it requirement by requirement, five out of six of the worst performers are the same now as they were in 2012.”
In comparing the data in the “Payment Security Report” to the “Data Breach Investigation Report,” Verizon noticed another significant connection.
“Of all the payment card data breaches that Verizon has investigated between 2010 and 2016 — nearly 300 — not a single organization was fully PCI DSS compliant at the time of the breach.”
So, while compliance with PCI DSS may not guarantee the security of an organization, it likely decreases the odds of it being the victim of a data breach.