In Verizon’s 2019 Payment Security Report, it was revealed that in 2018 only 36.7% of businesses are fully compliant with the Payment Card Industry Data Security Standard (PCI DSS). Indeed, over the past several years, PCI DSS compliance has been steadily slipping. There is a downward trend since 2016 where compliance was at an average of 55.4%, to 2017 where it dropped three points to 52.4%.
An interesting takeaway from the report was the breakdown of PCI DSS compliance across the globe. In fact, the report found that organizations in the Asia-Pacific (APAC) region were most consistently compliant at 69.6%, compared to 48% in Europe, the Middle East and Africa (EMEA) and, disappointingly, just 20.4% in the Americas.
Why is PCI compliance trending downward?
These findings raise the question: why is PCI DSS compliance dropping, despite the benefits that it proposes to data protection? The answer may be attributed to a poor or inconsistent corporate approach. Instead of remaining a constant issue, these statistics suggest that boardrooms are interpreting compliance as a one-off, quick fix. Perhaps businesses are forgetting that data security regulations are policed regularly, and incompliance is punishable by large fines.
It is essential that compliance issues are addressed on a regular basis before it’s too late. We don’t want there to be a worrying trend of corporations becoming apathetic with compliance.
Many corporations invest significant resources on data protection programs that look good on paper, but fail to offer comprehensive protection. According to the Verizon report, 5.6% of organizations still rely on compensating controls to meet Requirement 3.4 which stipulates that PANs must be rendered unreadable wherever they are stored. Reliance on compensating controls often leads to security teams trying to plug holes instead of addressing the root problem through a holistic approach. Indeed, if businesses incorporated PCI DSS compliance as standard, then surely the number and severity of breaches would drop before fines are sanctioned.
How to ensure PCI compliance
The best way to improve compliance across the board is to operate with a data-centric security mindset. Decision-makers should take it upon themselves to ensure appropriate safeguards are in place without being influenced by chronic, industry-wide apathy. There are tools, such as tokenization, in place to help companies maintain their battle for ongoing compliance.
Tokenization renders sensitive data unreadable to unprivileged users, no matter if the data is in motion, in use or at rest, and help to ensure compliance with Requirements 3 and 4. If there is any doubt, then deploying increased security measures could make the difference between customer satisfaction and a hefty fine. Don’t let your company be the one that loses data because your security isn’t up to scratch. To get a better understanding of the challenges of enterprise-wide data protection and what can be done to protect sensitive data click here.