The financial-services industry can take some satisfaction that it has improved its overall compliance with the PCI data-security standard, going from 42.9% of firms in full compliance in 2015 to 59.1% in 2016, as measured in the 2017 Payment Security Report from Verizon Enterprise, the business-services unit of telecommunications carrier Verizon Communications Inc.
Based on data gathered by Verizon’s qualified security assessors performing PCI DSS compliance assessments, the report indicates that of the four merchant segments—hospitality, retail, and information technology are the others—the financial-services segment had the most improvement in compliance rates. Across all four segments, full compliance stood at 55.4% in 2016, up from 48.4% in 2015.
The hospitality industry, long beset by frequent data breaches of hotel point-of-sale systems, improved from 30% compliance in 2015 to 42.9% in 2016. Information-technology services fell from 72.7% to 61.3% compliance. The retail segment was down from 57.1% to 50% last year.
Full compliance, as defined by Verizon, is when an entity meets all 417 basic controls in the 12 parts of the standard, Ron Tosto, Verizon global PCI manager, tells Digital Transactions News.
“The message here is that full compliance is achievable, and more people are understanding that message and taking security and compliance practices seriously enough to make that happen,” Tosto says. “The double good news is that things are getting better, but there are ways to improve in the report.”
Requirement 11, which concerns testing security systems and processes, universally bedevils merchants. This has to do with vulnerability scans and penetration testing. In 2016, 66.7% of financial-services companies were in full compliance with the requirement, down from 71.4% in 2015. That was the lowest of the four merchant categories in the Verizon report.
Part of the challenge in meeting the requirement is that the merchant completes a scan successfully, but then a hacker tries a new attack, which makes it past the prevention and detection protocols, causing the merchant to conduct a new scan. And sometimes, merchants are unsure about what constitutes a vulnerability scan, Tosto says. “Between the confusion and then fixing and retesting, an organization can have a tough time getting through the process,” he says.
New to the report this year is a compliance calendar, which lists the 12 requirements and when to do certain tests and actions. For example, it recommends performing vulnerability scans every three months and after any changes. “If [companies] understand what needs to be done, they can develop effective controls,” Tosto says.