A case of complacency on compliance?
As noted in a report that debuted on Tuesday (Sept. 25) from Verizon Communications, full compliance with the PCI DSS (short for Payment Card Industry Data Security Standard) dropped last year, the first decline seen in six years.
The headline numbers: 52.5 percent of the organizations surveyed were in full compliance, according to data gleaned from 2,400 reports stretching back to 2012. That latest tally is down from 55.4 percent seen in 2016, yet compares favorably against the 48.4 percent seen in 2015.
The study noted that there are some regional differences, as 77.8 percent of firms in the Asia Pacific region were fully PCI compliant, far outpacing the 46.4 percent at full compliance in Europe, while the standing was 39.7 percent in the Americas. One factor that comes into play when viewing the relatively lower rates of PCI compliance in the Americas is the fact that in the later region, EMV chip card payments are a relatively recent phenomenon.
Broken down by industry vertical, IT firms are among the highest sectors found to have been in full compliance, where Verizon has found that 77.8 percent of its clients are in full compliance with the standards. Then came retailers at 56.3 percent compliant, and just under 48 percent of financial services firms. Lagging was the hospitality sector, where only 38.5 percent of companies were fully PCI compliant.
Delving a bit further into the report, Verizon noted that nearly one in five organizations do not have defined compliance programs in place – delineated as having a formal structure, defined scope and supporting projects in place. And, noted the company, roughly two thirds of companies surveyed were following at least one other industry standard framework “in addition to PCI DSS,” said the report.
In addition, fewer than one in five firms measure the DSS controls in place across the entire environment more frequently than is mandated by DSS. And in terms of frequency, only 40 percent measure PCI DSS compliance annually, compared to 19 percent of firms that measure and report their PCI DSS compliance monthly.