Finservs Trend Downward in Compliance Measurement
Only 52.4% of organizations maintain full compliance in 2017.
After documenting improvements in Payment Card Industry Data Security Standard compliance over the past six years (2010 – 2016), Basking Ridge, N.J.-based Verizon’s 2018 Payment Security Report now reveals a concerning downhill drift.
The Verizon Data Breach Investigations Report series showed PCI DSS, which helps businesses offering card payment facilities protect their payment systems from breaches and theft of cardholder data helping to protect payment systems from both data breaches and cardholder data theft.
Data gathered by Verizon’s PCI DSS qualified security assessors during 2017 demonstrates that PCI compliance is decreasing amongst global businesses, with only 52.4% of organizations maintaining full compliance in 2017, compared to 55.4% in 2016. Regional differences highlighted demonstrated that companies in the Asia-Pacific region are more likely to achieve full compliance at 77.8%, compared to those based in Europe (46.4%) and the Americas (39.7%).
By business sector, IT services remain on top when it comes to compliance, with over three-quarters of organizations (77.8%) achieving full status. Retail (56.3%) and financial services (47.9%) were significantly ahead of hospitality organizations (38.5%), which demonstrated the lowest compliance sustainability. With businesses often leveraging PCI DSS compliance efforts to meet the security requirements of data protection regulations, such as the European Data Protection Regulation (GDPR), this gap between the various business sectors that deal with electronic payments daily is significant.
Amongst key financial services industry findings:
- About 72% of finserv organizations achieved compliance for the secure storage of cardholder data and sensitive authentication data.
- Only 73.2% were compliant with developing and maintaining secure systems and applications, down from the previous year.
- A greater number (87.3%), however, were compliant with protecting the transfer of cardholder data and sensitive authentication data over unprotected networks.
“PCI Compliance standards are slipping across global businesses and this simply can’t continue”, Rodolphe Simonetti, global managing director for security consulting, Verizon said. “Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs. We urge businesses to reassess their measurement methodologies for PCI control effectiveness, and to concentrate on managing the sustainability of their data protection.”
Simonetti indicated Verizon developed nine factors which help businesses sustain their compliance levels. “Our aim is to provide a clear structure and methodology to firstly help compliance personnel, but also equip them to open compliance dialogue with their board members, making the narrative easier to understand.”
Verizon’s nine factors of control effectiveness and sustainability include controlling the environment, design, risk, robustness, resilience, lifecycle management, performance, maturity measurement and self-assessment.
“Data-sharing and cross-industry collaboration is vital to understand the evolving threat landscape and to progress global payment security. As evident in this report, organizations continue to face challenges maintaining high-levels of security and demonstrating ongoing compliance in rapidly changing environments,” Troy Leach, Chief Technology Officer of the PCI Security Standards Council said. “Organizations should pay close attention to the findings in the report to remain vigilant for key learnings on how to remain secure said in the report. “Compliance should never be seen as the end goal for security but rather a measurement for an organization’s continued success in protecting data.”