If you work for any organization that processes credit or debit card information, you’ve heard of the Payment Card Industry Data Security Standard (PCI DSS), the regulatory standard aimed at preventing costly data breaches like the ones you may have heard about at Home Depot or TJX. But how much do you really know about PCI DSS compliance? Here are some interesting PCI DSS compliance statistics you may have missed.
This is the best news on the list. According to Verizon’s latest PCI DSS Compliance Report, the number of organizations that are fully compliant at the time of interim assessment is growing rapidly each year.
While the increase in businesses taking PCI DSS compliance seriously is important, the number of compliant organizations was very low to begin with. According to Verizon’s report, four out of five companies still fail at interim assessment.
A Newscycle Solutions survey found that only a small number of executives felt confident they had achieved PCI DSS compliance. Another 13 percent were not certain. While this compliance statistic is a snapshot of a specific industry, it’s common across all types of organizations to feel unsure about meeting PCI DSS standards. IT infrastructure becomes more complex every day, PCI DSS rules change frequently, and many companies lack up-to-date expertise.
Many businesses check PCI DSS compliance off the list and then stop worrying about it. Unfortunately, less than a third have maintained compliance a year later. While successfully demonstrating PCI DSS compliance to an auditor is a big relief, it won’t keep your business safe from security threats. The Verizon report recommends building a robust framework with security policies, procedures, and testing mechanisms to ensure compliance every day of the year.
One of the least understood aspects of PCI DSS compliance is that the fines for non-compliance are levied on the payment processors or credit card companies (the acquirers) that work with the non-compliant business, not the business itself. Those fines range from $5,000 to $100,000 a month. Of course, the acquirer will recoup the money from you, quite likely with added penalties and increased transaction fees.
This statistic is just in case you thought that PCI DSS standards were only important for your auditors. In Verizon’s ten years of having a forensics team investigate PCI DSS compliance, they have never found a company that was fully PCI DSS compliant at the time it was breached. Take note.
A 2017 study from SecurityMetrics reported that in 2016, the largest single origin of compromise was through insecure remote access. PCI DSS regulations recognize remote access as a vulnerability, and instructs organizations to protect against breach via remote access by implementing “two-factor authentication for remote access to the network by employees, administrators, and third parties,” in requirement 8.3.
According to the Ponemon Institute, which tracks the costs of data breaches every year, the current amount is up 29 percent since 2013. Refer to #6 for why this statistic directly relates to your PCI DSS compliance.
According to Verizon, the majority of consumers would be hesitant to do business with an organization that has suffered a data breach. If you’re having trouble justifying the cost of robust security solutions, this is what you need to think about: being complacent about PCI DSS compliance today could lead to years of lost customers and a damaged reputation for your brand.
Stemming from statistic number six, the 2017 SecurityMetrics study also found that the average breached merchant was not compliant with a significant percentage of PCI DSS requirements at the time of breach. The study supposes that this lack of compliance is attributed to a lack of trust in the effectiveness of these regulations, or a believe that PCI requirements are too technical or too costly to implement.
It’s clear that many organizations are struggling with PCI DSS compliance. It doesn’t have to be difficult. Seek out security software solutions that protect your valuable data using up-to-date methods, generate detailed logs to keep auditors happy, and allow you to easily test for PCI DSS compliance.
The next set of PCI DSS deadlines are coming in 2018. Is your business prepared? Read this whitepaper to learn what changes are necessary before the 2018 deadline.