- Only 1 in 5 organizations in the U.S maintain full compliance; Asia-Pacific companies perform better.
- Most firms studied in the Verizon report meet a majority of PCI DSS requirements except when it comes to security management, and testing systems and processes.
According to the Verizon 2019 Payment Security Report, payment security compliance has slumped for the second year in a row, with organizations based in the Americas lagging behind worldwide counterparts. Only one in five American companies meet compliance requirements.
What stunned everyone?
According to the report, full compliance with the Payment Card Industry Data Security Standard (PCI DSS) fell to 36.7 percent globally, down by 15.8 percent from the previous year.
- With 69.6 percent, companies in Asia-Pacific have the highest full compliance standards.
- Europe, Middle East, and Africa had 48 percent of companies meeting full compliance standards.
- On the other hand, merely 20.4 percent of companies have full PCI DSS compliance in the U.S.
- Only around one in three companies globally play by full compliance rules.
Understanding PCI DSS compliance
The PCI DSS program was formed through collaboration between various credit card companies such as Visa, Mastercard, American Express, Discover, and JCB. It was designed to ensure that all companies dealing with payment processes maintain data security and follow interoperable processes.
There are 12 PCI DSS requirements grouped into six areas including building and maintaining a secure network and systems, protecting cardholder data, maintaining a vulnerability management program, implementing strong control measures, monitoring and testing networks regularly and maintaining an information security policy.
More from the report
Compliance programs often fall short in preparing companies for real-world threats. Though compliance has improved gradually from 2010 to 2016, it has seen a decline since then. The lack of payment compliance raises a lot of security issues.
- Most firms studied in the Verizon report meet a majority of PCI DSS requirements except one requirement related to security management, and testing systems and processes.
- The report also points out that complying with requirements is largely about showing controls on paper for data and privacy protection, which also attributes to part of the compliance issue.
- Verizon's report is based on 302 PCI DSS engagements with global companies.
Ciske van Oosten, Senior Manager of Global Intelligence division at the Security Assurance Consulting practice of Verizon, said, “It has been 15 years since PCI DSS passed, but it is a private-sector effort. If you don't comply with PCI DSS there are penalties that can be applied to service providers and merchants. Enforcement is business to business and in contracts. If you are not compliant and have a breach you will be held liable. The ultimate consequence is being disconnected from the financial networks.”