Payment security compliance declines for the second year in a row
Verizon releases 2019 Payment Security Report to examine the issue.
Payment security compliance is trending downward and not showing any signs of improvement. In their 2019 Payment Security Report, Verizon investigates the trend and provides a framework for companies to get on track to compliance.
Companies that are in full compliance with the Payment Card Industry Data Security Standard (PCI DSS) dropped to 36.7 percent, down from 52.5 percent in 2018. American companies fall behind their overseas counterparts, with only one in five organizations making the cut. According to data from the Verizon Threat Research Advisory Center (VTRAC), a compliance program without proper controls to protect data, has less than a five percent chance at sustainability and is more likely to have data compromised.
Visa Inc. first launched the PCI DSS in 2004, and in the midst of an ever changing, innovative world, it seems more difficult than ever for companies to achieve sustainable compliance.
PCI DSS sets a standard that will keep sensitive information safe from data breaches and theft of data. “After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences,” said Rodolphe Simonetti, global managing director for security consulting at Verizon. “We see an increasing number of organizations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data. With the latest version of the PCI DSS standard 4.0 launching soon, businesses have an opportunity to turn this trend around by rethinking how they implement and structure their compliance programs.”
The Verizon 9-5-4 framework, featured in the 2019 report can help organizations become sustainably compliant with PCI DSS. The framework offers “9 Factors of Control Effectiveness and Sustainability,” which are control environment, control design, control risk, control robustness, control resilience, control lifestyle management, performance management and self-assessment. Companies should evaluate the “5 Constraints of Organizational Proficiency,” which are These are achieved by capacity, capability, competence, commitment and communication. The framework was adapted this year to add four lines of measurement — individual accountability, risk management and compliance teams, internal audit and external audit or regulators.
“We believe that when you build a framework using the PCI compliance controls and you combine that with all the other requirements you have for your organization, you build a security framework that will not only allow you to not only achieve your compliance requirements, but also to be able to avoid data breaches,” Simonetti said.
According to Simonetti, measuring the steps a company takes to secure data is important to ensure the ability to recover and learn if data breaches do occur.
This year’s report includes results from 302 PCI DSS engagements for organizations around the world and the assessments were completed by Verizon and third party PCI Qualified Security Assessors — ControlScan, Foregenix, MegaplanIT and Schellman.
Written by Madison Arnold