It’s a good news/bad news sort of day for the progress of securing payments around the world via the PCI DSS standards, according to new data released by Verizon.
The good news is that an ever-increasing number of firms around the world are getting into the groove with the Payment Card Industry Data Security Standard (PCI DSS) — according to the recently released figures, 55.4 percent of organizations complied with PCI when validated in 2016, up from 48.4 percent in 2015.
So, party hats for everyone!
Well — might want to hold off on those for one second.
The same reports also indicated that staying compliant is something of an issue — and there is also the not small matter of the 44.6 percent of businesses that are not up to PCI snuff. And that is a concern, since those compliance rules — which include things like firewalls, data in transit controls, encryption and authentication — have a fairly strong track record in warding off cybercriminals and their talent for breaching systems and scooping data.
After an investigation, Verizon determined that no breached organization was fully compliant with regulations at the time of their breach.
And, Verizon noted, despite the fact that the PCI DSS standards largely do what they are supposed to, passing validation is not quite even half the battle — almost half of them fall out of PCI DSS compliance within a year.
So where was the best — and worst — compliance?
In news shocking to exactly no one, IT did the best with full PCI DSS compliance, with 61.3 percent fully compliant during interim validation. Financial services came up in a close second, with 59.1 percent of financial services organizations fully compliant. FinServe, however, did report difficulties with some security procedures including configurations, vulnerability management and overall risk.
Retailers looked notably weaker at 50 percent, and hospitality organizers didn’t even manage to break into majority territory with only 42.9 percent of hospitality organizations showing as compliant.
Retailers’ trouble areas were security testing, encrypted data transmissions and authentication. Hospitality and travel, on the other hand, had problems with security hardening, protecting data in transit and physical security.