The seventh Verizon Payment Security Report, unlike past years, makes for alarming reading. For the first time since 2012 there has been a decrease in businesses achieving and maintaining PCI DSS requirements. At a time of tighter data protection regulations (e.g. PCI DSS v 3.2.1, GDPR etc) how could this be the case? We’ve analysed the results and drawn the following three conclusions:
- Compensating Controls do not mean compliance by default.
There has been an increase in the use of compensating controls, with 41.8% of organisations applying one or more to achieve PCI compliance up from 30.2% in 2016. At the same time, there has been a decrease in companies achieving and maintaining full compliance (52.5% down from 55.4% in 2016.) Moreover, the control gap (a measure of ‘how badly’ companies failed by) has significantly increased to 16.4%. This echoes what we discussed in our webinar; compensating controls are merely a band aid solution and do not make organisations compliant by default.
- Organizations are struggling with increased regulations.
The report shows 47.5% of organisations assessed had not maintained all PCI DSS controls, a drop from 55.4% the previous year, and only 18% of organisations measure their controls more frequently than PCI DSS requires. PCI DSS v 3.2.1 now requires organisations to provide evidence of compliance throughout the year, and not just at the time of audit. This highlights that organisations are struggling to meet the changing requirements of PCI DSS, which is in no small part to do with (33%) of organizations still treating PCI DSS compliance as an annual project. As discussed by Geoff Forsyth back in January the ‘cramming culture’ is no longer enough.
- Organizations adopting a unified approach to regulation changes have a step – up.
Alongside the changes to PCI DSS, there have been numerous other standards coming into effect, the most significant being the General Data Protection Regulation (GDPR.) The impact of this has been global, with California already reinforcing its data protection laws and other states set to do the same. With 65% of organisations reporting that they followed at least one other industry standard, it stands to reason that just under half (47%) are taking this approach to meet multiple requirements. As covered by us in the past PCI DSS and the GDPR sit on the same branch, as a breach of PCI compliance is a breach of the GDPR. Achieving and maintaining PCI compliance will go a long way to complying with the GDPR. Of course, this will not make organisations compliant with all regulation, but given that 76% of data breaches are financially motivated it makes sense to keep sensitive credit card information secure and, where possible, remove it from your environment completely. Solutions such as Agent Assist go a long way to achieving this by completely de-scoping cardholder not present payments from contact centers.