Payment security compliance in worrying decline
Payment security compliance has declined for the second year in a row, with organisations based in the Americas particularly lagging behind worldwide counterparts, according to Verizon’s 2019 Payment Security Report.
The annual report from the leading wireless technology provider noted that when Visa initially launched the Payment Card Industry Data Security Standard (PCI DSS) in 2004, many assumed that companies would achieve effective and sustainable compliance within five years.
But 15 years on, the number of businesses achieving and maintaining compliance has dropped from 52.5 per cent last year to a low of just 36.7 per cent worldwide. Geographically, those in the Asia Pacific (APAC) region showed a stronger ability to maintain full compliance at 69.6 per cent, compared to 48 per cent in Europe, Middle East and Africa (EMEA) and just 20.4 per cent in the Americas.
PCI DSS helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data, with compliance measured on an organisation’s ability to meet and maintain the standard.
“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences,” said Rodolphe Simonetti, global managing director for security consulting at Verizon. “With the latest version of the PCI DSS standard 4.0 launching soon, businesses have an opportunity to turn this trend around by rethinking how they implement and structure their compliance programs.”
The report also included data from the Verizon Threat Research Advisory Centre (VTRAC), which demonstrated that a compliance programme without the proper controls to protect data has a more than 95 per cent probability of not being sustainable and is more likely to be a potential target of a cyber attack.
“For years, we have discussed the close correlation between the lack of PCI DSS compliance and cyber breaches,” concluded Simonetti. “In this year’s report, we included even more data from the VTRAC team to add more depth to this discussion – our data shows that we have never investigated a payment card security data breach for a PCI DSS compliant organisation.”
This year's report included results from 302 PCI DSS engagements for a range of organisations, including large multi-national firms in more than 60 countries. It was based on actual casework with a specific focus on financial services (50.7 per cent); IT services (17.5 per cent), retail (19.9 per cent) and hospitality (10.6 per cent).