Verizon’s 2015 PCI Compliance Report shows some good news and bad news regarding businesses and PCI compliance.  One of the most important findings is that more organizations are meeting full compliance, but the downside, they are not able to sustain compliance long-term.

 

  • The percentage of compliant organizations went from 11.1 percent in 2013 to 20 percent.
  • Around 93.7 percent of enterprises were PCI compliant when it came to subcontrols and testing procedures.
  • But only 28.6 percent of businesses stayed PCI compliant less than a year following a successful PCI validation.

 

One reason for unsustainability could be that companies don’t have a strong set of procedures in place.  Another component is the fact that assessments review an organization’s status in that moment, with the number of devices and systems present at that time.  If the recently assessed business makes an addition to its devices the day after their evaluation, they could already no longer meet compliance.

 

When we dive into Verizon’s report a little further, we find that they analyzed each of the 12 PCI DSS requirements and most businesses met all of the requirements except for Requirement 11.

  • According to the report, the testing procedures that companies failed most often and used a compensating control for, within Requirement 11, were procedures that “validate the detection and identification of all authorized and unauthorized wireless access points on a quarterly basis,” and deploy change-detection mechanisms, such as file integrity monitoring.

 

Additionally, for Requirement 8 (out of the 12 PCI DSS requirements), only 33 percent were compliant in 2013, while the number rose to 69 percent the year later.  For Requirement 10 on the other hand, only 44 percent were compliant during their gap assessment, but that number rose to 76 percent the year later.

 

A last takeaway from the Verizon PCI Compliance Report is that if you are compliant, you are less likely to suffer a data breach.  Assessments conducted of companies that have been breached, were never found fully compliant; indicating that PCI compliance does play its role in the security of data.

 

The Verizon research shows that businesses can’t maintain compliance long-term, which makes it unsustainable and ineffective for securing data; especially if it is the only security measure taken by businesses.

 

Security isn’t a one-time action; it’s a process and requires continuous attention.  Passing an assessment once isn’t enough to keep your organization safe.  The only way to decrease risks and vulnerability to breach is to apply a holistic and comprehensive security program.

 

What are your biggest challenges with maintaining long-term PCI compliance and adopting a reactive security posture?

 

Photo courtesy of Nattapol Sritongcom