After documenting improvements in Payment Card Industry Data Security Standard (PCI DSS) compliance over the past six years, Verizon’s 2018 Payment Security Report reveals a downward trend in companies failing compliance assessments and perhaps not maintaining full compliance.

The PCI DSS helps businesses offering card payment facilities to protect their payment systems from breaches and theft of cardholder data, and compliance has been shown to help protect payment systems both from data breaches and theft of cardholder data.

The report, released today, shows that only 52.4 percent of organizations maintained full compliance in 2017, compared to 55.4 percent in 2016.

Regionally, companies in the Asia-Pacific region are more likely to achieve full compliance at 77.8 percent, compared to those in Europe (46.4 percent) and the Americas (39.7 percent).

By sector, IT services remain the most compliant, with 77.8 percent achieving full status. Retail (56.3 percent) and financial services (47.9 percent) were ahead of hospitality organizations (38.5 percent).

“PCI Compliance standards are slipping across global businesses and this simply can’t continue,” comments Rodolphe Simonetti, global managing director for security consulting, Verizon. “Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs.  We urge businesses to reassess their measurement methodologies for PCI control effectiveness, and to concentrate on managing the sustainability of their data protection.”

Verizon advocates following nine factors of control effectiveness and sustainability to support the 12 key requirements for the PCI DSS standard:

  • Factor 1: Control Environment: The sustainability and effectiveness of the 12 Key Requirements depends on a healthy Control Environment.
  • Factor 2: Control Design: Proper control operation to meet DSS security control objectives depends on sound Control Design.
  • Factor 3: Control Risk: Without on-going maintenance (security testing, risk management, etc.), controls can degrade over time and eventually break down.  Mitigation of control failures requires integrated management of Control Risk.
  • Factor 4: Control Robustness: Controls operate in dynamic business and ever-changing threat environments.  They must be robust to resist unwanted change to remain functional and perform to specifications (configure standards, access control, system hardening, etc.).
  • Factor 5: Control Resilience: Security controls can potentially still fail, despite adding layers of control for increased robustness, therefore control resilience with proactive discovery and quick recovery from failure is essential for effectiveness and sustainability .
  • Factor 6: Control Lifecycle Management: To achieve all of the above it is necessary to monitor and actively manage security controls throughout each stage of their lifecycle from inception to retirement. 
  • Factor 7: Performance Management: Establishing and communicating performance standards to measure the actual performance of the control environment improves control effectiveness, and promotes predictable outcomes of your data protection and compliance activities, allowing for early identification and correction of performance deviations.
  • Factor 8: Maturity Measurement: A control environment should never be stagnant – it must improve continuously. To do so, businesses need a roadmap, a target level of process and capability maturity to track the degree of formality and optimization of processes as indication of how close developing processes are to being complete and capable of continual improvement.
  • Factor 9: Self-Assessment: Achieving all of the above requires in-house proficiency – resource capacity (people, processes and technology), capability (supporting processes), competency (skills, knowledge and experience) and commitment (the will to consistently adhere to compliance requirements) – in short a self-assessment proficiency.

Read more from the Verizon 2018 Payment Security Report here.