For many companies, maintaining compliance with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) appears to be more challenging than actually achieving it.
A new survey by Verizon on the state of PCI compliance among organizations that handle debit and credit card data shows that more companies than ever are achieving some form of compliance with the requirements of the standard.
Verizon reviewed (registration required) quantitative data from PCI assessments that it conducted over the last two years at customer locations and from data breach investigations it conducted for clients over the same period. The data showed that between 2013 and 2014, compliance rates went up substantially for 11- out of 12 major PCI requirements among companies required to meet the standard. The only area where compliance rates fell during the same period pertained to security testing. About 20 percent of the companies reviewed were fully compliant with all PCI requirements at interim assessment, compared to just over 11 percent in 2013 and barely 7.5 percent in 2012.
Despite such progress, 7 out of 10 companies that achieve PCI compliance fail to maintain that status even for a year. Verizon’s research showed that only 28.6 percent of companies managed to remain compliant for the full year between annual assessments.
A lot of that has to do with the continued failure by companies to implement robust measures for managing and maintaining compliance, once they have achieved it, says Andi Baritchi, global managing principal at Verizon and one of the authors of the report.
It’s common for organizations to conflate validation and compliance, Baritchi says. "Compliance means doing all of the things that PCI says you need to do during the year,” he said. “The assessment is merely a snapshot in time. It validates that Company X is compliant,” based on a specific assessment at a specific point in time.
Companies that suffer data breaches are often quick to note that they had been validated for compliance within the past year. But that doesn’t mean that they were in fact compliant at the time of the breach, Baritchi said. In fact, data from the past 10 years shows, that not a single company that suffered a data breach was compliant with PCI requirements at the time of the incident, he said.
“This leads us to the question: has compliance become too complex, preventing organizations from looking at the 'big picture'?” says Dave Oder, CEO of Shift4 Corp. “Organizations that focus on compliance, and jump through all of PCI¹s hoops, may achieve compliance for a moment in time."
But it is only organizations that are looking to be secure at all times that will find compliance easier to achieve and maintain, he says.
The 84-page Verizon report highlights the multiple factors that impact an organization’s ability to maintain compliance on a sustained basis. From a technical standpoint, the complexity of systems in an IT environment, the architectural design, the physical location of systems and the manner in which they are interconnected, can impact the level of investment and effort needed to maintain compliance, the report noted.
Similarly, an organization’s ability to sustain compliance at an operational level depends on factors like the proficiency of its IT organization and the culture of the organization regarding adherence to policies. The degree to which strategic, business, and data protection objectives are aligned can also impact compliance sustainability in a big way, Verizon said in its report.
“It is not uncommon for executives to make strategic business decisions (like changes to sales channels and mergers) without considering the potential impact on information security and compliance, and how that might affect the business case,” the report said.
The PCI Security Standards Council, which administers the standard, has somewhat controversially insisted for some time that organizations who implement and maintain compliance with all of PCIs requirements will not get breached. It has noted, like Verizon does in its report, how every single company that has suffered a payment card data breach was also not PCI-compliant.
In a statement responding to the Verizon report, the PCI Council’s general manager Stephen Orfei reiterated those sentiments. “Often an organization’s approach to PCI security is to focus on passing the annual compliance assessment,” he said. But this only the start, he noted.
“Only a combination of people, process and technology, and a focus on making security a ‘business-as-usual’ practice will help thwart [security threats],” he said.