The State of PCI Compliance in 2014: Getting Better but Still Insufficient

Linda Musthaler
By | April 30, 2014

Posted in: Network Security Trends

2014 marks the 10-year anniversary of the Payment Card Industry Data Security Standards (PCI DSS). It is also the year that version 3.0 of the set of security standards was released. All merchants who accept credit and debit cards as a form of payment should now be upgrading their systems to meet the new higher standards of PCI DSS 3.0.

There are still 12 primary requirements within the standards, but they now consist of more than 400 controls and sub-controls. Of course, merchants only have to apply the controls that apply to their specific environment where the cardholder data exists, even if the data’s encrypted.

Verizon has issued its 2014 PCI Compliance Report that gives us a snapshot of how well the big merchants are doing in their compliance efforts. The report is based largely on information gleaned from hundreds of compliance assessments carried out by Verizon’s PCI Security practice. It’s based on compliance with PCI DSS 2.0, which was the incumbent set of standards when Verizon did these assessments.

The study covers businesses in the retail, hospitality, financial services and other industries and primarily focuses on Level 1 merchants—i.e., those that process the highest volumes of electronic payments.

After all these assessments and all its analyses, Verizon has concluded that “compliance remains a major issue” for these businesses. The report authors write:

[O]ur research also shows that the vast majority of organizations are still not sufficiently mature in their ability to implement and maintain a quality, sustainable PCI Security compliance program, and they continue to struggle to provide the required compliance evidence at the time of the annual compliance validation assessment.

Moreover, Verizon discovered:

According to our research, only around one in ten organizations were fully compliant with PCI DSS 2.0 at the time of their baseline assessment.

In fact, Verizon says only 11.1% of the companies it assessed initially met all 12 requirements of PCI DSS 2.0. The statistics aren’t a heck of a lot better if we look at how many companies met 10 out of 12 requirements (24.4%), or 9 out of 12 (42.2%), and so on. Take a look at this chart from the compliance report.

verizon pci report










Source: Verizon 2014 PCI Compliance Report

Nevertheless, Verizon says its research indicates that “organizations are complying at a higher rate than in previous years.” That’s a step in the right direction.

Still, with so many companies failing to meet all the requirements, at least initially, it begs the questions: If some of the largest merchants in the world have difficulty meeting all of the security standards of PCI DSS, are the standards too high? Can they even be met at all? Or are merchants just not trying hard enough? The Verizon analysts point out:

Despite the increasing maturity of the standard and organizations’ understanding of it, attaining compliance remains far from easy — and so it should. Protecting cardholder data is important and the threats to it are very real.

As recent retail breaches have shown us, attackers have gotten quite sophisticated in their approaches, and it has paid off. According to The Nilson Report, the global cost of card fraud has risen from less than $3 billion in 2000 to more than $11 billion by 2013. Data from a compendium of Verizon Data Breach Investigations Reports show that payment card data remains one of the easiest types of data to convert to cash, and is therefore the preferred choice of criminals.

PCI DSS 3.0 has increased and refined the security guidelines that merchants must follow. Companies will complain about the additional burden of compliance with this new version—the cost, the time, the complexity. Nevertheless, the motivation remains clear: it’s not to achieve PCI compliance but to avoid the stifling costs of a breach like the one that Target Corporation just suffered. No company wants to experience what Target has gone through: $61 million in costs so far, 46% drop in net profits in the crucial holiday shopping quarter, and an initial 11% drop in stock value.

We consumers don’t want to see more merchant data breaches either.  Let’s hope they can get their act together and get better at closing their security gaps.



You May Also Be Interested In: