The number of global organizations fully compliant with PCI DSS regulations has fallen for the second year in a row to just under 37%, according to a new report from Verizon.
The firm’s annual Payment Security Report (PSR) has tracked compliance levels for several years. This year’s was compiled from 302 PCI DSS engagements by Verizon Qualified Security Assessors (QSAs) with a range of organizations, including Fortune 500 and large multinationals firms, in over 60 countries.
The global compliance figure fell from 53% in last year’s report — a significant drop. APAC organizations appeared to be the best prepared, with 70% fully compliant. The figure fell to 48% in Europe and a disappointing 20% in the Americas.
Rodolphe Simonetti, global managing director for security consulting at Verizon, warned that while 2010-16 saw an increase in compliance levels, the trend is now reversing.
Featuring data from Verizon’s Threat Research Advisory Center (VTRAC), the report claimed that a compliance program without proper controls has a 95% chance of not being sustainable and is therefore a major target for attack.
“Many organizations spend a lot of time and money creating data protection compliance programs, but often these are ineffective — looking good on paper but not able to withstand the scrutiny of a professional security assessment,” Simonetti explained.
“We still see CISOs focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes.”
The findings chime with a Security Scorecard report from 2018 which revealed that over 90% of US retailers were non-compliant with PCI DSS, failing four or more of the key requirements of the standard. Requirement six — dealing with maintaining secure systems and applications — was a problem for 98%.