Summary Bullets:
- Verizon’s annual Payment Security Report captures a snapshot of organizations struggling to continue successful controls and best practices over time.
- The evidence shows those who do are rewarded with a better fortified defense against breaches.
Fifteen years after the payment card industry settled on a single data security standard with PCI DSS, there are indications that too many organizations’ security practices haven’t risen to the level of maturity which would have been anticipated at this point. In Verizon’s annual survey of payment card industry security practices, only 37% of the 302 surveyed enterprises sustain full compliance with the 12 specifications outlined in PCI DSS consistently over time. Effectively, most organizations are focusing on meeting the basic requirements rather than developing consistent and effective security practices – not unlike a procrastinating student who is just looking to pass the test. Just 18% check to see if they are meeting PCI DSS specifications more often than what the standard mandates.
The Verizon survey highlights significant regression in terms of practices. Just three years ago, 55% of the surveyed organizations reported that they were maintaining security controls in compliance with PCI DSS specifications at all times. An alarming 18% of enterprises admitted they have no formal compliance program in place at all. And only one-fifth described their data protection compliance programs as ‘advanced.’
While it is true compliance does not equate entirely to effective security, regulations and security mandates can provide an important blueprint to help organizations establish controls and develop best practices. It is worth noting the Verizon research reported that no organization which was hit with a breach was 100% compliant with all 12 PCI DSS specifications.
What is clear from the study is that too many enterprises are not advancing their security practices and methodologies over time, leaving valuable assets exposed. Meeting compliance standards at a point in time only to let controls slide later is a very risky practice. Enterprises need to treat compliance as a foundational step to a broader set of security methodologies and practices that need to evolve with the business.
IT Connection 