Maintaining payment security compliance is key to preserve consumer and supplier trust in a brand. However, the Payment Security Report (PSR) 2018 showed that compliance with the Payment Card Industry Data Security Standard (PCI DSS), the standard that protects this data is slipping. In order to stop this downward trend, businesses need to reassess their measurement methodologies for PCI control effectiveness, and to concentrate on managing the sustainability of their data protection.

Why is compliance so important?

The Payment Card Industry Data Security Standard (PCI DSS) helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data. PCI DSS compliance has been shown to help protect payment systems from both data breaches and theft of cardholder data, highlighting how vital compliance is.

However, after documenting improvements in Payment Card Industry Data Security Standard (PCI DSS) compliance over the past six years (2010 – 2016), the PSR 2018 revealed  a worrying downward trend, with companies failing compliance assessments and perhaps, more importantly, not maintaining full compliance. 

The facts speak for themselves

Data gathered by PCI DSS qualified security assessors (QSAs) during 2017 demonstrates that PCI compliance is decreasing amongst global businesses, with only 52.4 percent of organisations maintaining full compliance in 2017, compared to 55.4 percent in 2016. Regional differences are highlighted, demonstrating that companies in the Asia-Pacific region are more likely to achieve full compliance at 77.8 percent, compared to those based in Europe (46.4 percent) and the Americas (39.7 percent).

Often these differences can be attributed to the timing of geographical compliance rollout strategies, cultural appreciation of awards/recognition, or the maturity of IT systems. For example, a PCI project is started in one region and then rolled out across the globe. This means that key learnings are often made and problem areas solved prior to the compliance assessments taking place in other regions.

Every business sector has its own compliance challenges

No two business sectors are the same and this also runs true when it comes to payment security compliance. 

Generally, the PSR 2018 showed IT services remain on top when it came to compliance, with over three-quarters of organisations (77.8 percent) achieving full status. Retail (56.3 percent) and financial services (47.9 percent) were significantly ahead of hospitality organisations (38.5 percent), which demonstrated the lowest compliance sustainability. Many businesses often leverage PCI DSS compliance efforts to meet the security requirements of data protection regulations, such as the European Data Protection Regulation (GDPR). The gap between the various business sectors that deal with electronic payments on a daily basis is significant.

It is important to remember that one size does not fit all when it comes to compliance strategies as different industries have different risks inherent to their specific activities. For example, whilst businesses need to be compliant to the entire standard to be PCI DSS certified - retail stores need to specifically concentrate on the security of their ‘Payment Terminals’ (PCI DSS Chapter 9 and Chapter 2); eCommerce is totally different and should focus on all Internal and external scans related to the ‘Web Server’ (PCI DSS Chapter 11), not to forget Hardening (PCI DSS Chapter 2) and ‘Key Management for Databases’ (PCI DSS Chapter 3) and finally Financial Services need to be good in all aspects of the Standard. This business sector often struggles most with Chapter 6 ‘Develop and Maintain Secure Systems’ and Chapter 2 ‘Do not use vendor supplied defaults’.

Control effectiveness and sustainability are essential

Over the years we have seen that maintaining compliance is often the issue – specialist PCI Compliance project leaders can leave mid project and the awareness of a company’s compliance status leaves with them. In addition, many companies flounder without a clear structure to sustain compliance. Or alternatively, unskilled professionals are tasked with maintaining compliance with the PCI standard, but they do not have the basic knowledge to achieve this goal.

As a result, there is a requirement to have a better set of processes in place that help businesses to comply with the 12 key PCI DSS requirements. With this in mind, my next article will focus on what I see as the nine key factors of control effectiveness and sustainability to support these standards.