DAMIEN MEYER/AFP via Getty Images
show image

GlobalData Technology

Providing actionable insight into the technology industry

Are the payment card industry’s security standards slipping?

Some 15 years after the payment card industry settled on a single data security standard with PCI DSS, there are indications that too many organisations’ practices haven’t risen to the level of maturity that would have been anticipated at this point.

In Verizon’s annual survey of payment card industry security practices, only 37 per cent of the 302 surveyed enterprises sustain full compliance with the 12 specifications outlined in PCI DSS consistently over time.

Most organisations are focusing on meeting the basic requirements rather than developing consistent and effective security practices. Just 18 per cent check to see if they are meeting PCI DSS specifications more often than what the standard mandates.

Lack of compliance programmes is a concern

The Verizon survey highlights significant regression in terms of practices. Just three years ago, 55 per cent of the surveyed organizations reported that they were maintaining security controls in compliance with PCI DSS specifications at all times.

An alarming 18 per cent of enterprises admitted they have no formal compliance programme in place at all. And only one-fifth described their data protection compliance programmes as advanced.

Security breaches

While it is true that compliance does not equate entirely to effective security, regulations and security mandates can provide an important blueprint to help organisations establish controls and develop best practices.

It is worth noting that the Verizon research reported that no organisation that was hit with a breach was 100 per cent compliant with all 12 PCI DSS specifications.

What is clear from the study is that too many enterprises are not advancing their practices and methodologies over time, leaving valuable assets exposed.

Meeting compliance standards at a point in time only to let controls slide later is a very risky practice. Enterprises need to treat compliance as a foundation step to a broader set of security methodologies and practices that need to evolve with the business.

NS Tech and GlobalData are part of the same group