Enterprises (especially retail, hospitality) struggle with payment card data security standards

A Verizon report highlights that more organizations are compliant with PCI DSS, but companies still struggle with security controls.
Written by Larry Dignan, Contributor

Enterprises are complying with the Payment Card Industry Data Security Standard (PCI DSS) more, but the number of organizations in compliance is still low enough to leave the door open for cyberattacks, according to Verizon.

First, the good news. According to the Verizon 2017 Payment Security Report, 55.4 percent of organizations complied with PCI when validated in 2016, up from 48.4 percent in 2015. However, maintaining compliance is an issue, said Verizon.

And there are still 44.6 percent of organizations such as retailers, restaurants and hotels not up to PCI standards. PCI DSS standards are there to allow businesses to take card payments and protect systems from cardholder data breaches. The requirements include items such as firewalls, data in transit controls, encryption and authentication.

That lack of compliance is notable because of all of the payment card data breaches investigated by Verizon no organizations were fully compliant at the time of the breach. Simply put, PCI DSS compliance is directly linked to data breaches.

Also: Ransomware incidents surge, education a hot bed for data breaches, according to Verizon

Meanwhile, of the companies that pass validation almost half of them fall out of PCI DSS compliance within a year.

Key items from the Verizon payment security report:

  • The IT services industry had the highest full PCI DSS compliance with 61.3 percent fully compliant during interim validation.
  • 59.1 percent of financial services organizations were fully compliant, but many struggled with security procedures, configurations, vulnerability management and overall risk.
  • 50 percent of retailers and 42.9 percent of hospitality organizations were PCI-DSS compliant. Retailers struggled with security testing, encrypted data transmissions and authentication and hospitality and travel groups struggled with security hardening, protecting data in transit and physical security.
  • 13 percent of companies failed interim assessments due to absent controls.

Verizon added that enterprises need to consolidate security controls for easier management, develop expertise and their people, maintain internal controls and interlink them and automate.

Editorial standards