The Slippery State of PCI Compliance

These days, in the Age of the Breach, securing sensitive payment card data has become a giant task for merchants, issuers, and processors.

The security rules these players live by are contained in the PCI Security Standards Council’s data-security standard. But it turns out compliance with these rules is a never-ending challenge. Merchants can be compliant one day, and out of compliance the next—and not even realize they’ve slipped out of compliance.

So how well are merchants doing in maintaining that compliance? It’s a sobering statistic. Only 28.6% of the companies surveyed in the Verizon 2015 PCI Compliance Report were still in compliance a year after a successful validation.

Released last month, the annual report catalogs the state of PCI compliance with data gleaned from more than 5,000 assessments performed in 2014 by Verizon Enterprise, the business-services unit of telecommunications giant Verizon Communications Inc. Verizon says this year’s survey has 1,000 more assessments than the 2014 report.

Compliance with rules set by the PCI Security Standards Council is meant to ensure merchants use practices that protect sensitive payment card data.

There could be a number of reasons for the trailing compliance rate, Verizon says. A company might not have strong enough procedures in place for managing and maintaining the compliance efforts.

Also, PCI compliance is just a moment in time, a snapshot taken when the assessment is done, Verizon says. “All it in fact proves is that the company was able to demonstrate compliance at that moment, for the selected sample of sites, devices, and systems checked,” the report says.

There is a bright side. The proportion of organizations that failed their interim compliance assessment is 80%. That may sound high, but it’s a marked improvement from 88.9% in the 2014 report and 92.5% in 2013. Interim assessments are those that organizations perform between their annual ones.

“What we’ve said for a while, and have emphasized in Version 3.0 [of the PCI DSS], is that security needs to be part of the culture of the organization,” says Troy Leach, chief technology officer at the Wakefield, Mass.-based PCI Security Standards Council. “It’s not a technology, not something you buy.”

The Council’s updated data-security standard became effective in 2014, but has a key deadline in 2015.

Leach says in many recent data breaches organizations either had a process in place but didn’t respond to the attack as outlined in the process or they viewed compliance as a once-a-year checkup.

“One of the primary messages the Council preaches is ongoing vigilance and doing the right thing day in and day out as a critical aspect not only for meeting compliance, but for not being asleep at the wheel when an attack comes, which could be a new type of attack,” Leach says.

Of the 12 major requirements in the PCI DSS, the only one not to show improvement from 2013 to 2014 was the one to regularly test security systems and processes. The Verizon report found that only 33% of surveyed firms met that requirement in 2014 compared with 40% in 2013.

Part of the explanation for that decrease may be that organizations lose track of PCI scanning when employees change jobs or leave the company, the report says. It may be that scans are completed only for external threats, and not internal vulnerabilities. Or organizations may simply not be able to produce the scan results because they switched scanning vendors or have lost the report.

Developing metrics for an organization that can show how data security is improving is critical, Leach says. As those measurements improve, compliance can be much easier to maintain over the years, he says.

PCI compliance is challenging for a number of reasons, Verizon said in its report, but merchants can do a few things to make it easier. One is to better understand the scope of compliance, and another is knowing what, where, and how cardholder data is stored, processed and transmitted.

—Kevin Woodward