The yearly Verizon Payment Security Report is an invaluable insight into the way companies are handling PCI DSS compliance as well as the effect full compliance (or a lack thereof) has on the industry as a whole. Not only are we able to keep track of how many organizations are fully PCI DSS compliant, we can also – via the follow-up Verizon PCI Forensic Investigator Enquiry – find out just how much compliance can affect an organization’s risk of being breached.
The headlines are largely positive this year, as the report highlights an upward trend in PCI compliance. But does this seemingly good news mask a growing problem?
The key figure being talked about in this year’s report is the upward swing in the percentage of organisations that are fully PCI DSS compliant; in 2016 this was 48.3%, this year the number has grown to 55.4%. This marks the first time ever that more than half of organizations assessed have been fully compliant and Verizon notes that full compliance has increased fivefold since 2012.
On the surface this seems to demonstrate a positive upward trend but to look at this statistic in reverse shows that nearly half of the companies assessed are still failing their compliance validation assessments. While the growing number of fully compliant organizations is undoubtedly positive, the high number of noncompliant companies is worrying.
The report also demonstrates that the way in which companies are attempting compliance isn’t exactly improving either. The control gap of organizations that failed their assessment – the average percentage of controls that these organizations failed to have in place – has actually grown, going from 12.4% in 2012 to 13% in 2016. The report highlights that the majority of these controls that were not being implemented were “fundamental security principles [that are] material to the likelihood of an organization suffering a breach.” Not only are these companies failing to achieve full compliance then, they’re protecting their customers’ sensitive data even less than they were four years ago.
Sustainability and resilience
One of the biggest issues highlighted by the report is one of sustainability. Out of all the companies who passed their initial interim assessment, Verizon found that around half fell out of compliance within a year or sooner. This failure to uphold compliance standards tends to fall under two categories: non-observance of consistent and sustained testing after the initial assessment, and neglecting to update security systems in line with the latest technological developments. In fact, Verizon reports that Requirement 11 of PCI DSS (Regularly test security systems and processes) is one of the least complied with overall. In short, it seems many organizations are still unaware of or unwilling to acknowledge the fact that security systems and protocols need to be constantly maintained, tested, and updated if they are to stay resilient to the latest attacks.
Verizon also highlights the importance of PCI DSS compliance to keeping your customers’ personal data safe; in their following Data Breach Investigations Report they state that, out of all organizations who had suffered a breach, not one was fully PCI DSS compliant.
When the consequences of a security breach are taken into account, the failure to take compliance seriously seems even more astonishing. Even if an organization can afford the monumental fees that go along with a breach (which are set to increase even further when the new GDPR is implemented at the beginning of next year) the ensuing loss of reputation can be fatal. According to the report, 66% of customers say they would be unlikely to do business with an organization that had suffered a security breach of sensitive information. In a social media-saturated world where negative reviews and opinions of brands can be shared worldwide, most organizations simply cannot afford to keep taking this risk.
For more information on how you can make sure that your company isn’t at risk, visit our Knowledge Centre for handy guides on all you need to know about PCI DSS compliance.