PCI DSS compliance falls despite security benefit

A growing number of companies are failing compliance assessments or failing to maintain full compliance with the payment card industry data security standard (PCI DSS).

This is the main finding of Verizon’s 2018 Payment security report, which has documented improvements in PCI DSS compliance over the past six years.

PCI DSS provides a framework that enables businesses that offer card payment facilities to measure the performance of controls aimed at protecting their payment systems.

Despite Verizon’s data breach investigation reports showing the effectiveness of PCI DSS in protecting payment systems from breaches and theft of cardholder data by cyber criminals, the latest payment security report shows that PCI compliance by global businesses is decreasing.

Data gathered by Verizon’s PCI DSS qualified security assessors (QSAs) during 2017 shows that only 52.4% of organisations maintained full compliance in 2017, compared with 55.4% in 2016.

The report also reveals regional differences, with 77.8% of organisations in the Asia-Pacific region achieving full compliance, compared with just 46.4% in Europe and 39.7% in the Americas.

These differences, the report said, can be attributed to the timing of geographical compliance roll-out strategies, cultural of awards and recognition, or the maturity of IT systems.

By business sector, IT services remain on top when it comes to compliance, with more than three-quarters of organisations (77.8%) achieving full compliance status. Retail (56.3%) and financial services (47.9%) were also significantly ahead of hospitality organisations (38.5%), which demonstrated the lowest compliance sustainability.

With businesses often using PCI DSS compliance to help meet the security requirements of data protection regulations, such as the European Data Protection Regulation (GDPR), Verizon said the gap between the various business sectors that deal with electronic payments on a daily basis is significant.

“PCI compliance standards are slipping across global businesses and this simply can’t continue,” said  Rodolphe Simonetti, global managing director for security consulting at Verizon.

“Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs. We urge businesses to reassess their measurement methodologies for PCI control effectiveness, and to concentrate on managing the sustainability of their data protection.”

Troy Leach, chief technology officer of the PCI Security Standards Council (PCI SSC), said data-sharing and cross-industry collaboration is vital to understand the evolving threat landscape and to progress global payment security.

“As evident in this report, organisations continue to face challenges maintaining high levels of security and demonstrating ongoing compliance in rapidly changing environments,” he said.

Organisations should pay close attention to the findings in the report to remain vigilant for key learnings on how to remain secure, said Leach. “Compliance should never be seen as the end goal for security, but rather a measurement for an organisation’s continued success in protecting data.”

According to Simonetti, Verizon has developed nine factors to help businesses sustain their PCI compliance levels. “Our aim is to provide a clear structure and methodology to firstly help compliance personnel, but also equip them to open compliance dialogue with their board members, making the narrative easier to understand,” he said.

For compliance processes to be effective, they need to be driven from the top, said Simonetti. “But often progress or challenges are not clearly communicated or understood by executives,” he said.

To help businesses keep on the right compliance track, the report includes a comprehensive timeline that charts timing for specific compliance activities.

Verizon’s nine factors of control effectiveness and sustainability that support the 12 key requirements of PCI DSS are:

1. Control environment

The sustainability and effectiveness of the 12 key requirements depends on a healthy control environment.

2. Control design

Proper control operation to meet DSS security control objectives depends on sound control design.

3. Control risk

Without ongoing maintenance, including security testing and risk management, controls can degrade over time and eventually break down. Mitigation of control failures requires integrated management of control risk.

4. Control robustness

Controls operate in dynamic business and ever-changing threat environments. They must be robust to resist unwanted change to remain functional and perform to specifications.

5. Control resilience

Security controls can potentially still fail, despite adding layers of control for increased robustness, therefore control resilience with proactive discovery and quick recovery from failure is essential for effectiveness and sustainability.

6. Control lifecycle management

To achieve all of the above, it is necessary to monitor and actively manage security controls throughout each stage of their lifecycle, from inception to retirement.

7. Performance management

Establishing and communicating performance standards to measure the actual performance of the control environment improves control effectiveness, and promotes predictable outcomes of data protection and compliance activities, allowing for early identification and correction of performance deviations.

8. Maturity measurement

A control environment should never be stagnant – it must improve continuously. To do so, businesses need a roadmap, a target level of process and capability maturity to track the degree of formality and optimisation of processes as an indication of how close developing processes are to being complete and capable of continual improvement.

9. Self-assessment

Achieving all of the above requires in-house self-assessment proficiency. This includes resource capacity (people, processes and technology), capability (supporting processes), competency (skills, knowledge and experience) and commitment (the will to consistently adhere to compliance requirements).