PCI compliance drops for first time in years

More companies are failing compliance assessments or not maintaining full compliance, two issues that make them more vulnerable to cybercrime.

Full compliance with the Payment Card Industry Data Security Standard (PCI DSS) has dropped for the first time in six years to 52.5%, according to the “2018 Payment Security Report” from Verizon.

The PCI DSS helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data. PCI DSS compliance has been shown to help protect payment systems from both data breaches and theft of cardholder data.

However, PCI compliance is decreasing among global businesses, with only 52.4% of organizations maintaining full compliance in 2017, compared to 55.4% in 2016. Rates differ across regions, as companies in the Asia-Pacific region are more likely to achieve full compliance at 77.8%, compared to those based in Europe (46.4%) and the Americas (39.7%). These differences can be attributed to the timing of geographical compliance rollout strategies, cultural appreciation of awards/recognition, or the maturity of IT systems.

By business sector, IT services remain on top when it comes to compliance, with over three-quarters of organizations (77.8%) achieving full status. Retail (56.3%) and financial services (47.9%) were significantly ahead of hospitality organizations (38.5%), which demonstrated the lowest compliance sustainability. With businesses often leveraging PCI DSS compliance efforts to meet the security requirements of data protection regulations, such as the European Data Protection Regulation (GDPR), this gap between the various business sectors that deal with electronic payments on a daily basis is significant.

“PCI Compliance standards are slipping across global businesses and this simply can’t continue,” said Rodolphe Simonetti, global managing director for security consulting, Verizon. “Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs. We urge businesses to reassess their measurement methodologies for PCI control effectiveness, and to concentrate on managing the sustainability of their data protection.”