Compliance with the Payment Card Industry data-security standard remains an elusive goal for many merchants and other organizations that handle general-purpose payment card data. In fact, compliance fell in 2018 for the second year in a row, according to Verizon Communications Inc.
Verizon’s newly released Payment Security Report says only 36.7% of organizations reviewed for its annual global study were fully compliant with the PCI DSS in 2018, down nearly 16 percentage points from 2017, which in turn was down slightly from the peak of 55.4% in 2016. The 2018 global compliance rate is the lowest since 2013, when it was just 20%.
The PCI DSS debuted in 2006 as a common set of required security rules endorsed by the leading card networks for merchants, processors, and financial institutions, though predecessor network regulations date back even farther. New York City-based Verizon, which besides its main telecommunications business has a large data-security operation that includes PCI assessments, started tracking PCI compliance a decade ago.
What explains the recent declines? In addition to difficulties achieving PCI compliance in the first place, many organizations apparently are having a hard time maintaining it. Where the company or organization is located also appears to have some role since compliance rates vary widely by region. Verizon says 69.6% of assessed Asia-Pacific organizations were in full compliance last year compared with 48% for the Europe/Middle East/Africa region and just 20.4% in the Americas.
“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences,” Rodolphe Simonetti, global managing director for security consulting at Verizon, said in a news release. “We see an increasing number of organizations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data. With the latest version of the PCI DSS standard 4.0 launching soon, businesses have an opportunity to turn this trend around by rethinking how they implement and structure their compliance programs.”
The new report includes data from other PCI-qualified security assessors (QSAs) besides Verizon and is based on assessments of 302 organizations in more than 60 countries. About half were financial firms; others included 60 retailers and 32 hospitality companies.
“Our research suggests that many organizations believe they can protect data by following a script, as if doing A, B and C in the correct order will achieve effective and sustainable data protection,” the report says. “In the real world, solutions are not simple, requiring complex paths with non-linear progression.”
PCI DSS compliance can be complicated and expensive, depending on an organization’s size and payments infrastructure, and merchants have grumbled about it for years. The standard covers 12 key, or broad, requirements, 78 so-called base requirements, and over 400 test procedures.
The largest compliance drop in 2018 involved key Requirement 6, which governs the development and maintenance of secure applications and systems, whether by PCI-subject organizations themselves or third parties they’re using. Full compliance fell nearly 20 percentage points to 56.1%.
There is some good news in the report. Verizon said the “control gap,” a measure of how far organizations were from full PCI compliance, remained steady last year at 7.2%. That percentage is an average derived from the number of failed controls divided by the number of controls expected.