October 5, 2017
The effectiveness of PCI DSS compliance has been hotly debated by both security experts and the companies subject to its requirements. But absence of a program entirely is inviting disaster, according to the findings of a recent report from Verizon. In its 2017 Payment Security Report, Verizon found that of the more than 300 network intrusions the company investigated involving payment card data, not one of the breached companies was PCI certified at the time of the attack.
While the rate of compliance has risen significantly in recent years, over half of all companies that store payment data are still not PCI compliant. Of those 300+ breaches involving payment data, only 9 percent of affected companies showed any evidence that they ever had a PCI DSS program. And, more than 44 percent of companies that were compliant at one time fell out of compliance within nine months of validation.
“Cybercriminals are always improving, learning, and working to stay one step ahead of data security,” a Verizon spokesperson said. “Therefore, companies cannot check the box on compliance once and then walk away. Constant monitoring of updated regulations and technology is essential for the protection of important data.”
As the recent negative publicity surrounding credit bureau Equifax shows, the impact of a security breach to a company’s brand reputation can be severe. The direct monetary damage can be just as severe. Verizon found 66 percent of consumers would be unlikely to do business with an organization that experienced a breach where financial and sensitive information were compromised. Additionally, payment card brands and the U.S. government have also levied fines, making failure to continually update security on a company’s network a costly failure, with less sales from distrusting consumers to make up for the fines.
There could be ramifications internationally as well. Any company doing business in the European Union will soon be subject to the new General Data Protection Regulation (GDPR), which includes a provision to fine companies for failing to protect personal information, which includes payment credential data. Fines under the GDPR can be up to €20 million ($23.5 million) or 4 percent of turnover, whichever is greater.
According to Verizon, the need for payment data security will only continue to become more important over time.
“PCI DSS compliance does not necessarily equal being secure. It isn’t simply the controls in the PCI DSS themselves, but the approach taken to implement them that determines their effectiveness,” said the spokesperson. “Companies with the mindset of security as part of the daily routine are demonstrating the way to maintain security throughout the year and also can demonstrate how true security also affects compliance to the PCI DSS.”
For additional information, download the Verizon 2017 Payment Security Report.