Full compliance with the Payment Card Industry data-security standard dropped in 2017 for the first time in six years, according to a report released Tuesday by Verizon Communications Inc.
New York City-based Verizon’s PCI-qualified security-assessment service, one of the largest in card-related security industry, says 52.5% of the organizations it inspected maintained full PCI compliance in 2017, down from 55.4% in 2016 but still above 2015’s 48.4%. The percentages come from a database of about 2,400 assessment reports dating back to 2012, with about 400 new ones being added every year.
“I hope it’s a blip, but I also hope it’s a bit of a wake-up call,” Ron Tosto, global manager of Verizon’s PCI Advise and Assessment Services, tells Digital Transactions News.
Card-accepting merchants need to bake security into their business operations, not just meet specific requirements of the mandatory PCI rules, according to Tosto. The not-fully-compliant companies typically had met all the PCI rules but fell out of compliance within three to nine months, he says.
“I think the wake-up call is really to do your due diligence as an organization, not just compliance,” he says. The goal should be that “security programs are business as usual.”
Most, but not all, of Verizon’s QSA clients are Fortune 500 companies or other large card-accepting merchants. These firms typically are so-called Level 1 merchants that generate, for example, 6 million or more Visa transactions a year. Such merchants traditionally have been the most compliant with PCI rules.
Verizon doesn’t have a definitive reason for the 2017 compliance decline, Tosto says. But a partial explanation is that as more merchants adopt tokenization, point-to-point encryption, and other security technologies that either hide card data or remove it from their networks altogether, the merchants that haven’t beefed up their defenses are becoming more attractive to hackers. “They’re the ones left with the cardholder data,” Tosto says.
The 2017 study found that 77.8% of companies in the Asia-Pacific region were fully PCI-compliant. Europe-based companies came in second at 46.4%, and those in the Americas trailed at 39.7%. The Americas traditionally have lagged Asia and Europe in PCI compliance, in part because of the later adoption of EMV chip card payments in the U.S.
Among major industry sectors, information-technology businesses rank first, with 77.8% of Verizon’s IT clients fully PCI compliant. Some 56.3% of retailers were fully compliant, as were 47.9% of financial-services firms. Hospitality organizations, which traditionally have a high proportion of data breaches, trailed with only 38.5% assessed as fully PCI compliant.
Data sharing and cross-industry collaboration are vital to understanding evolving threats and achieving global payment security, according to Troy Leach, chief technology officer of the Wakefield, Mass.-based PCI Security Standards Council, which administers the PCI standards. “As evident in the Verizon Payment Security Report, organizations continue to face challenges maintaining high levels of security and adjustments to controls in rapidly changing environments,” Leach said in a blog post.