Compliance with universal payment-card security standards has plummeted as organisations’ tick-the-box approach leaves customers’ sensitive payment data exposed to security risks, according to new Verizon research that found just 36.7 percent of audited companies were still fully compliant with PCI DSS standards.
That rate was down significantly from 52.5 percent the year before, according to the company’s latest Payment Security Report, which collates and analyses the results of 302 compliance audits conducted during 2018.
The difference of 15.8 percent marked a significant increase from the 2.9 percent drop recorded the year before – which followed four years of surging compliance as businesses invested heavily to keep with increasingly onerous governance, regulatory and compliance (GRC) initiatives.
PCI DSS compliance is meant to be an ongoing business exercise but Ferdinand Delos Santos, APAC senior manager for Verizon’s Security Assurance Consulting Services, says the continuing decline in compliance – and the finding that none of the responding organisations consider themselves to have an “optimised” compliance program – confirm that too many organisations have failed to address compliance properly.
“Most of the organisations that failed compliance have not done any proper strategy when it comes to their PCI compliance approach,” he told CSO Australia. “They treat this as an ad hoc project and not an ongoing capability piece.”
“When you treat your certification programs as a static project with a beginning and an end, it’s all the more likely that you will not be able to uncover sustainability issues that you can see from the controls you have implemented – and what level of competence is required to maintain PCI compliance from a business-as-usual perspective.”
Poor compliance with PCI DSS has implications for compliance with other compliance standards, such as the increasingly onerous requirements of privacy and cybersecurity policies such as the EU’s general data protection regulation (GDPR), APRA’s CPS 234 financial control, and upcoming Consumer Data Right (CDR) regime.
All require a significant effort to achieve compliance but, similarly, demand ongoing attention from businesses to ensure that security controls are maintained – and that new versions of the standard are equally well accommodated.
Despite the overall poor status of compliance, Asia-Pacific organisations were significantly more compliant (69.6 percent were compliant) than their peers in EMEA (48 percent) and the Americas (20.4 percent).
The gap between expected and actual controls was lower than the previous year – 10.2 percent compared with 16.4 percent – while analysis correlated breaches with higher rates of non-compliance around certain PCI DSS controls.
PCI DSS requirement 9 – which restricts physical access to cardholder data – was the most commonly complied-with regulation, yet the controls nonetheless failed in fully 75 percent of organisations. And most organisations struggled to meet requirement 10.2, which mandates the ability to reconstruct events through proper audit trails.
“We continue to see a strong correlation where PCI DSS compliance, if properly achieved and sustained, can go a long way to help organisations defend better against data breaches,” said Ashish Thapar, APAC managing principal within the Verizon Enterprise Solutions RISK team.
“We are yet to see an organisation that was compliant across PCI DSS requirements when we started the investigation.”
Aiming to help customers better target their compliance work, Verizon introduced what it has called the 9-5-4 Compliance Program Performance Evaluation Framework – combining Verizon’s 9 Factors of Control Effectiveness and Sustainability with the 5 Constraints of Organizational Proficiency and 4 Lines of Assurance.
The persisting shortfall in compliance could be a particular sticking point as the upcoming PCI DSS 4.0 moves the bar yet again. Following on from 2015’s PCI DSS 3.0 and 2016’s PCI DSS 3.2, version 4.0 will impose new compliance obligations by 2021.
With so many compliance requirements to cover, Delos Santos many companies are covering the bases by focusing on requirements that increasingly overlap between PCI DSS and cybersecurity best practice.
“There is a strong preference to making these environments, using the same principles you learned from PCI, to be applied across the board,” he explained. “Because of this kind of implementation, it has also strengthen their data compliance programs for other requirements as well.”
“Most organisations who have overlapping requirements, choose PCI DSS to be implemented and help them both on cardholder data security and data protection security.”