Four out of five organizations that achieve PCI compliance will fail an assessment less than one year later. That finding comes from Verizon’s 2015 compliance report for the Payment Card Industry Data Security Standard.
The report paints a picture of an industry too focused on one-off assessments. Not enough attention is paid to creating a secure environment and maintaining PCI compliance for the other 364 days of the year.
The data comes from Verizon’s team of security assessors, breach investigators, and other security experts as they worked with clients from 2012 through 2014.
Highlights of the report:
One thing to clarify about this report, it uses data from two different types of PCI assessments:
In other words, the interim report shows whether merchants are maintaining compliance – and the results are not good. Only 1 in 5 organizations (20%) is compliant less than one year after a successful validation.
So 80% of merchants fail the assessment less than one year after validating their PCI compliance.
How can this happen? Reasons offered in the report include a widespread lack of procedures for managing and maintain compliance. Controls are poorly designed or poorly implemented, and there is too much reliance on error-prone and costly manual operations. All this adversely affects business efficiency and security.
Related - PCI Security: Banks don't want you to comply
We have argued many times that PCI compliance does not equal security. An organization that focuses solely on the requirements will be disappointed by the protection they provide. Effective security cannot be mandated by a set of industry regulations.
That said, Verizon has never seen a company breached while PCI compliant. In 10 years, every breach occurred while the merchant neglecting at least one requirement, according to the report.
What does this tell us? Although PCI DSS compliance does not equal security, it’s better than nothing. Many of the controls required by PCI DSS will help organizations improve security, even if they are not an effective blueprint for building a safe and secure environment.
Verizon’s team really dug into the data for this report. They even looked at organizations that were breached to understand how their PCI compliance changed between an interim assessment and the security incident that came later.
Two requirements that EVERY breached organization failed to meet in 2014:
The report’s authors say fulfilling these two requirements is likely to give you the “biggest bang for your compliance buck.” Failure to comply with them is more closely associated with having a breach than the other requirements.
Anyone who lived through 2014 can tell you security incidents are rising. Verizon’s report quantifies the general feeling felt across the industry.
Security incidents have increased 66% on average every year since 2009. In 2014, the increase nearly hit 50% with total reported incidents at 43 million.
EMV cards, also known as “chip and pin” or “chip and signature” cards, are growing in the U.S. and are expected to become standard by the end of the year. Merchants have to begin accepting them by October or become liable for all fraudulent card-present transactions on their systems. That shift in liability is expected to drive widespread adoption.
Canada introduced the cards in 2008, and looking at the country’s experience shows us we can expect a drop in card-present fraud. However, we can also expect a sharp rise in card-not-present fraud as criminals change tactics.
You can see a clear decline in Canada’s lost/stolen fraud between 2008 and 2013 and a clear rise in card-not-present fraud. The net result appears to be a slightly larger volume of total losses. Will the U.S. see the same trend? Only time will tell.
Also: mobile payments get a lot of news, but their popularity is dwarfed by the number of card transactions. Card use is growing in every region of the world. In the U.S., credit and debit cards account for two-thirds of all purchases by value.
Merchants Struggle with PCI DSS compliance as Deadline Passes
PCI DSS Security: Banks don’t want you to comply
PCI DSS: Easier and cheaper compliance with SAQs
PCI DSS Version 3.0 – PCI Security Standards Council – pdf
How AccessEnforcer Fits with PCI DSS