Credit card security compliance declines for third consecutive year

Finance is among the sectors that has struggled most in compliance with a standard for storing and transmitting credit card information. (Uris (English Wikipedia))

For the third year in a row, compliance with the standard for storing and transmitting credit card information has plummeted, with the hospitality, retail and financial sectors struggling.

According to data compiled by Verizon based on its own audits of companies in 60 different countries. Companies that were fully compliant with the Payment Card Industry (PCI) standard dropped from 55.4 percent to 27.9 percent between 2016 to 2019. The 2019 figure is the lowest rate of full compliance since 2013.

“The majority, as in 90-plus percent of all organizations we analyze, do go on to eventually achieve 100 percent compliance after fixing the controls that were not in place,” Gabriel Leperlier, senior manager of security consulting EMEA at Verizon Business, via email. But “the intent of the PCI DSS standard is that controls that fall out of place are detected and corrected quickly – not to wait for an external security assessor to arrive and point out controls that need to be fixed.”

It’s not a change in standards that has caused the decline in compliance. Leperlier notes that while the standards do get revised, the 79 base controls and 252 requirements have largely remained the same.

In fact, he said, “We can even say that the number of test procedures decreased slightly. The updates in the PCI DSS Standard aims to help companies to cope with new security challenge.”

Year after year for the decade Verizon has compiled this report, companies particularly struggle with PCIs chapter 11 demands for vulnerability testing and penetration testing and prompt mitigation of vulnerabilities. And, as long as Verizon has tracked the issue, the hospitality, retail and financial sectors have almost exclusively been the least compliant.

But the problem, according to this and Verizon’s previous reports, isn’t the sector or failure to address any single check box in PCI. Rather, Verizon points to a lack of “compliance sustainability,” long term planning to create long-term compliance.

“Long-term development of sustainable control effectiveness lacks priority and focus,” said Leperlier. “Without this long-term strategy, companies are deemed to fail.”