Each year, Verizon issues a report summarizing the results of Payment Card Industry Data Security Standard (PCI DSS) compliance assessments of Fortune 550 and large multinational firms. According to the 2017 Payment Security Report, 55.4 percent of organizations passed their interim assessment in 2016 compared to only 48.4 percent in 2015. But while those numbers show improvement, they still indicate that almost half of organizations accepting payment cards are not maintaining PCI DSS compliance from year to year.
Mandated by Visa, MasterCard and other card issuers, the PCI DSS requires “all merchants with internal systems that store, process or transmit cardholder data” to comply with 12 key data protection measures and submit to security audits. These measures include logical and physical access controls, activity monitoring and logging, encryption, and regular network scans. Organizations can face substantial penalties if they are not compliant with PCI DSS and suffer a data breach involving payment card information.
Although the PCI DSS is designed to protect against the theft of cardholder data, the standard’s requirements represent basic security controls that all organizations should have in place. In fact, the Verizon report reveals a link between PCI DSS compliance and an organization’s ability to defend against a cyberattack — none of the organizations that experienced a data breach were fully compliant with the PCI DSS.
The report also found a growing “control gap,” meaning that organizations were lacking more of these basic controls than in previous years. In the 2016 report, organizations failing their interim assessments were missing an average of 12.4 percent of controls. In the 2017 report, 13.0 percent of controls were missing.
The Verizon report offers five guidelines to help organizations ensure they have effective security controls in place:
- Recognize that security controls are interconnected. If there is a problem with one control, it will likely impact the performance of others.
- Consolidate controls for ease of management. Adding more security controls is not always the answer — the PCI DSS Standard already contains numerous data protection measures. Organizations should use the structure of the PCI DSS to combine controls to meet multiple requirements.
- Invest in security expertise. Organizations should develop and maintain the knowledge needed to enhance, monitor and measure the effectiveness of their security controls, or partner with a managed services provider such as SSD.
- Automate security as much as possible. Automation can help reduce the risk of human error and ensure that controls are kept up-to-date. All automation should be audited frequently, however.
- Apply a balanced approach. Security tools aren’t enough. Organizations need to follow security best practices and maintain robust and resilient business processes to avoid falling out of compliance.
The PCI DSS does not mandate any particular security tool — it’s a flexible framework that gives organizations the ability to choose the tools that makes the most sense. The standard is also updated frequently to reflect changes in technology and evolving security threats.
If you’re worried about PCI DSS compliance, or simply want to leverage the standard to boost your security posture, give SSD a call. Let us show you how our comprehensive security services can help you protect your sensitive data and meet regulatory requirements.