Verizon Study Finds PCI DSS Compliance Falls Worldwide

More companies around the world are opening themselves up to cyber attacks and security breaches as compliance with security payment standards fell last year, a troubling trend that officials with Verizon said needs to be addressed.

The carrier's 2018 Payment Security Report, released this week, found that for the first time in six years, the percentage of businesses around the world complying with the Payment Card Industry Data Security Standard (PCI DSS) decreased year-over-year, from 55.4% in 2016 to 52.5% last year. The standard is used by businesses that offer card payment facilities to help protect their payments systems from data breaches and customer data theft.

(Source: Flickr)

There has been a growing number of high-profile security breaches that have led to the theft of personally identifiable information of customers from such companies as Equifax, Yahoo, Heartland Payment Systems, Under Armour and Target, and such breaches are beginning to cost C-level executives their jobs. Verizon officials said that compliance with PCI DSS has been effective in protecting payment systems against breaches and data theft, which is why the trend away from compliance is concerning. (See Data Breaches Costing More C-Level Executives Their Jobs.)

"PCI Compliance standards are slipping across global businesses and this simply can't continue," Rodolphe Simonetti, global managing director for security consulting at Verizon, said in a statement. "Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs."

Compliance has moved steadily up over the past several years, from 11.1% in 2012 to 48.4% in 2015. According to data collected by Verizon's qualified security assessors (QSAs), that upward trend continued into 2016, but fell off last year.

"The news about the drop in PCI compliance is somewhat alarming," Dan Hubbard, chief product officer at cloud security solutions provider Lacework, told Security Now in an email. "One explanation is that companies are increasingly outsourcing their payments and therefore believe they don't believe they need to adhere to PCI. The other is that they are suffering from compliance fatigue which, in the past, has been laden with manual processes and cumbersome technical challenges that stunt innovation."

The compliance fatigue could be alleviated with seamless and automated compliance and insights into their security, Hubbard said.

Compliance differs among business sectors and geographical regions, according to Verizon's report. IT services has the highest compliance among business sectors, at 77.8%. Retail came in at 56.3% and financial services at 47.9%, with hospitality at the lowest level at 38.5%. The gap among the various business sectors is important given that companies will leverage their PCI DSS compliance efforts as part of their work to meet the security requirements of data security regulations, such as the European Union's General Data Protection Regulation (GDPR), according to Verizon officials. (See Cisco: GDPR Is About More Than Compliance.)

(Source: Verizon)

Ronald Tosto, global manager of PCI advise and assessment services at Verizon, told Security Now that evidence points to point-of-sales (PoS) systems being the weak link when it comes to credit card data.

"In many cases, hospitality and retailers are using point-of-sale systems that have not been certified as a payment application that meets data security standards," Tosto said. "In the United States, there is an inconsistent use of credit cards with chips and PIN numbers to verify card ownership. And while merchants can have their own system to implement point encryption, there has been a low adoption rate for the approach."

On a regional basis, compliance in the Asia-Pacific region comes in at 77.8%, followed by Europe on 46.4% and the Americas on 39.7%. There are multiple reasons for the differences, including the timing of compliance rollout strategies, the cultural appreciation of awards and recognition, and the maturity of IT systems, Verizon officials said.

Nathan Wenzler, chief security strategist at security consulting firm AsTech, told Security Now that the drop in compliance numbers isn't surprising. Wenzler noted that the PCI Council has added new requirements to the PCI DSS Guidelines in recent years that are too complicated or expensive for many small businesses and difficult for enterprise to manage consistently at a large scale. Suspicion that some of the requirements were done to appease software vendors has made some businesses skeptical about the validity of the guidelines, he said.

"This perception change makes things much more difficult for everyone, since the various PCI requirements can absolutely be used as powerful tools to bolster any security program, but without the support of the security practitioners who must advise, manage or even implement all of the controls, you're going to see compliance start to drop across the board," Wenzler said.

Verizon officials in the report noted that PCI DSS compliance doesn't mean 100% secure -- it doesn't address the ability of companies to assess data protection governance, oversight or commitment to competence, for example -- it's an important part of the larger security picture.

"Since 2010, not a single organization that we have assessed following a data breach was fully PCI DSS compliant," they wrote.

Verizon's Tosto notes that "companies must have capacity and capability to make an effective change to their payment ecosystem … Our recommendation is to dedicate resources and a sense of energy with urgency to ensure the trend does not continue on a downward path."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.