It’s a sobering statistic. Only 28.6% of the companies surveyed in the Verizon 2015 PCI Compliance Report were still in compliance with the Payment Card Industry data-security standard a year after a successful validation.
Released Thursday, the annual report catalogs the state of PCI compliance gleaned from more than 5,000 assessments performed in 2014 by Verizon Enterprise, the business-services unit of telecommunication carrier Verizon Communications Inc. Verizon says this year’s survey has 1,000 more assessments than the 2014 report.
Compliance with rules set by the PCI Security Standards Council is meant to ensure merchants use practices that protect sensitive payment card data.
There could be a number of reasons for the trailing compliance rate, Verizon says. A company might not have strong enough procedures in place for managing and maintaining the compliance efforts. PCI compliance is just a moment-in-time, a snapshot when the assessment is done, Verizon says. “All it in fact proves is that the company was able to demonstrate compliance at that moment, for the selected sample of sites, devices, and systems checked,” the report says.
There is a bright side. The percentage of organizations that failed their interim PCI compliance assessment is 80%, a marked improvement from 88.9% in the 2014 report and 92.5% in 2013. Interim assessments are those that organizations perform in between their annual ones.
“What we’ve said for a while and have emphasized in Version 3.0 [of the PCI DSS] is that security needs to be part of the culture of the organization,” Troy Leach, chief technology officer at the Wakefield, Mass.-based PCI Security Standards Council, tells Digital Transactions News. “It’s not a technology, not something you buy.”
The Council’s updated data-security standard became effective in 2014, but has a key deadline in 2015.
Leach says in many recent data breaches organizations either had a process in place and didn’t respond to the attack as outlined in the process or they viewed compliance as a once-a-year checkup. “One of the primary messages the Council preaches is ongoing vigilance and doing the right thing day-in-and-day-out as a critical aspect not only for meeting compliance, but for not being asleep at the wheel when an attack comes, which could be a new type of attack,” Leach says.
Of the 12 major requirements in the PCI DSS, the only one not to show improvement from 2013 to 2014 was the one to regularly test security systems and processes. The Verizon report found that only 33% of surveyed firms met that requirement in 2014 compared with 40% in 2013.
Part of the explanation for that decrease may be that organizations lose track of PCI scanning when employees change jobs or leave the company, the report says. It may be that scans are completed only for external threats, and not internal vulnerabilities, or organizations may simply not be able to produce the scan results because they switched scanning vendors or have lost the report.
Developing metrics for an organization that can show how data security is improving is critical, Leach says. As those measurements improve, compliance can be much easier to maintain over the years, he says.