80% of American Organizations Not in Full Card Security Compliance

Amid regular data breach headlines or personally information protection breakdowns comes news that only 1-in-5 American organizations maintain full payment security compliance; and global compliance fell further and is following a decreasing trend.

Basking Ridge, N.J.-based Verizon in its “2019 Payment Security Report” found payment security compliance has declined for the second year in a row, with organizations based in the Americas lagging behind worldwide counterparts.

Compared to previous years, global compliance fell a further 15.8% in 2018 to 36.7%, and is following the decreasing trend in sustainability seen across the past three years (2016-2018). The number of businesses achieving and maintaining compliance has dropped from 52.5% (2018 PSR) to a low of just 36.7% worldwide. Geographically, organizations in the Asia-Pacific region show a stronger ability to maintain full compliance at 69.6%, compared to 48% in Europe, Middle East and Africa (EMEA) and just 20.4% in the Americas.

Of all the industries investigated globally, financial services companies achieved the highest percentage age of full compliance (about 40%), followed by IT services (about 37%), retail (about 36%) and hospitality (about 26%).

PSR, an annual study on the performance of the payment card industry data security standard (PCI DSS)—a security guide established by leading card brands to help businesses reduce fraud. helps businesses offering card payment facilities protection for their payment systems from breaches and cardholder data theft. The study measured compliance as an organization’s ability to meet — and importantly, maintain — the standard.

According to the Verizon PSR, data protection and compliance present daily challenges. Many organizations believe they can use a one-size-fits-all script to achieve effective and sustainable data protection. However, in the real world, security is more complicated.

The report noted, “An effective and sustainable control environment remains as relevant as ever. Based on the continuing occurrence and severity of data breaches, many organizations appear to still be approaching compliance as a ‘check box’ routine.”

The payment security study also held when Visa Inc. originally launched the PCI DSS in 2004, many assumed organizations would achieve effective and sustainable compliance within five years.

“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences,” Rodolphe Simonetti, global managing director for security consulting at Verizon, said. “We see an increasing number of organizations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data. With the latest version of the PCI DSS standard 4.0 launching soon, businesses have an opportunity to turn this trend around by rethinking how they implement and structure their compliance programs.”

Simonetti continued, many organizations spend a lot of time and money creating data protection compliance programs, but often these are ineffective — looking good on paper but not able to withstand the scrutiny of a professional security assessment. “We still see chief information security officers focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes.”

The report also included data from the Verizon Threat Research Advisory Center, which according to Verizon, demonstrated a compliance program without the proper controls to protect data has a more than 95% probability of not being sustainable and is more likely to be a potential target of a cyberattack.

“For years, we have discussed the close correlation between the lack of PCI DSS compliance and cyberbreaches,” concluded Simonetti. “In this year’s report, we included even more data from the Verizon VTRAC team, the authors of Verizon’s Data Breach Investigation series, to add more depth to this discussion. Our data shows that we have never investigated a payment card security data breach for a PCI DSS compliant organization. Compliance works!”

In previous payment security reports, Verizon developed methodology to help organizations manage their data protection compliance programs: Verizon 9-5-4 compliance program performance framework, a guideline which helps develop and improve capability and process maturity.

This year’s report included results from 302 PCI DSS engagements for a range of organizations, including Fortune 500 and large multinational firms in more than 60 countries.

Similar to Verizon’s Data Breach Investigations Report series, the 2019 PSR is based on actual casework with a specific focus on financial services (50.7%); IT services (17.5%), retail (19.9%) and hospitality (10.6%).

“Without a sound strategy to measure data protection effectiveness and sustainability, throwing money at data protection does little to prove an organization is getting better at maintaining compliance. This approach may lead to a false sense of security. Many organizations appear stuck in a reactive cyclic pattern, focusing only on meeting baseline compliance requirements,” the report suggested.