A Verizon report shows a link between compliance with the payment card industry security standard and an organisation’s ability to defend against cyber attacks, but nearly half are failing to maintain compliance.
Of all the payment card data breaches Verizon investigated in the past year, no organisations were found to be fully compliant with the payment card industry data security standard (PCI DSS) at the time of breach.
Breached organisations demonstrated lower compliance with 10 out of the 12 PCI DSS key requirements, according to the Verizon 2017 Payment Security Report.
PCI DSS is aimed at helping organisations protect payment systems from breaches and theft of cardholder data, which is becoming increasingly important as cyber crime increases and the deadline approaches for compliance with the EU’s General Data Protection Regulation (GDPR).
From May 2018, any company that does business in the EU could be hit by fines of up to €20m or 4% of annual turnover, whichever is the greater, for failing to protect EU citizens’ personal data, which includes payment card data.
The report, which tracks the performance of PCI compliance, is based on PCI assessments conducted by Verizon’s team of qualified security assessors (QSAs) for Fortune 500 and large multinational firms in more than 30 countries.
Although the report shows that the total number of organisations Verizon assessed achieving PCI compliance at interim validation in 2016 increased to 55.4%, up from just 11.1% in 2012 and 48.4% in 2015, it still means that nearly half of retailers, restaurants, hotels and other businesses that take card payments are still failing to maintain compliance from year to year.