It's become apparent that more organizations are attaining PCI compliance, but far fewer can stay in compliance for a reasonable period of time.
Only 20% of companies surveyed in Verizon's 2015
"Companies fall out of compliance almost instantly upon achieving it," said Richard Moulds, vice president of product strategy at Thales e-Security.
Verizon's report, released last week, compiled research during 2014 from more than 500 security professionals in combination with data gathered during data breach forensic investigation reports from qualified security assessors.
Compliance went up for 11 of the 12 PCI DSS requirements at an average increase of 18%, with the largest being a jump from 33% in 2013 to 69% last year in the category of authenticating access. The only area where compliance fell was in testing security systems, dropping from 40% to 33%.
With data breaches as rampant as they have been especially among companies thought to have been PCI compliant this finding was perhaps inevitable. "Remaining PCI compliant is really hard to do," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
But it is good news that organizations are seeing the need for stronger authentication, considering so many breaches stem from poor credential security, Conroy added.
"Unfortunately, the places where businesses still most often fall short are also the most likely to expose the organization's soft underbelly," Conroy said. Those weaknesses are regularly testing security systems, maintaining secure systems and protecting stored data, she added.
Verizon emphasized the growing need for security diligence, citing a Price Waterhouse Coopers survey of 9,700 companies that reported detecting nearly 43 million security incidents in 2014 a compound annual growth rate of 66% since 2009, and a jump of 14 million since 2013.
In addition, Verizon revealed that not a single company it had investigated after a data breach in the last 10 years was found to be PCI compliant at the time of the breach.
"Current techniques are not stopping attackers, or even slowing them down," the report stated. Such a trend reinforces the argument from those who say PCI DSS has an over-reliance on protection and not enough on detecting attacks, mitigating damage and identifying residual risk, Verizon said.
Merchants and financial institutions should view PCI DSS as "a baseline, an industry-wide minimum acceptable standard, not a pinnacle of payment security," Verizon said.
Some also question whether PCI compliance has become too complex while also creating a "check the boxes" mentality.
"Organizations that focus on compliance and jump through all of the PCI hoops may achieve compliance for a moment in time, and then fall out of compliance the following year," said Dave Oder, CEO of security vendor Shift4 Corp. "But organizations looking to be secure at all times will find that compliance comes naturally."
Data security is increasingly important for merchants, as 69% of consumers say they would be less inclined to do business with a breached organization, the report said.
Verizon also encourages organization to take measures to get their payments network "out of scope" to fully isolate system components from the network when handling card data.
The report indicated companies have various options to reduce scope through data handling, system infrastructure or outsourcing part or all of the task of data handling and storage.
Ultimately, PCI compliance is an ongoing battle of wits with a growing sector of criminals in a digital age.
"The complexity of IT infrastructures and the pace of innovation results in inadvertent openings for cybercriminals, who are often all too quick to find them," Aite's Conroy said.
