Summary Bullets:
• In 2020, Verizon compiled data from PCI DSS security assessors from Verizon and four outside sources to analyze the state of compliance and data security in advance of the release of the latest version of the PCI DSS specification – 4.0 – earlier this year.
• The results are encouraging with 43.4% maintaining full compliance as assessed during an interim audit in 2020 versus 27.9% in 2019.
While the need to meet regulatory requirements associated with data privacy is often cited as an investment driver in security technology, too often organizations struggle to maintain protections during the interim periods between Payment Card Industry Data Security Standard (PCI DSS) audits. The lack of consistent enforcement leaves organizations that handle sensitive financial information vulnerable to breaches.
To address this, industry leaders have been on an active education campaign to outline how important instituting compliance measures continuously is to the security posture of an enterprise. To further help organizations establish security controls and best practices that are a good fit for their environment, the Payment Card Industry Security Standards Council introduced PCI DSS 4.0 in March 2022. PCI DSS 4.0 allows enterprises two optional models to deploy and validate PCI DSS controls. Organizations now have the option to implement either a defined approach that follows the directives of the standard or a customized one that meets the requirements in a way that diverges from the way the controls are outlined in the specification.
In the customized approach, the enterprise will need to demonstrate ironclad security processes and effective risk management practices through design, documentation, and testing. To achieve a strong security posture, whether the enterprise uses a defined or customized approach to PCI security, they will need to maintain controls always, not just in preparation for an assessment.
There are some indications that organizations are getting the message about consistent enforcement of PCI protection measures even in advance of the new PCI version’s debut. In its Payment Security Report issued earlier this month, Verizon cited progress in consistency and closing control gaps. Based on data collected from both Verizon and external PCI security assessors in 2020, 43% achieved full compliance versus 30% in 2019.
While the progress is notable, it still underscores that more than half of the assessed failed interim audits. There is clearly more work to be done.
IT Connection 