Global PCI DSS compliance plummets

Global PCI DSS compliance plummets

Nearly two thirds of organisations around the world that accept card payments are putting customers at risk by failing to ensure full PCI DSS compliance, according to a Verizon report.

Fifteen years after Visa launched the PCI DSS (Payment Card Industry Data Security Standard) the percentage of businesses achieving and maintaining compliance sits at just 36.7% worldwide, down from 52.5% in 2018.

Geographically, organisations in the Asia-Pacific region show a stronger ability to maintain full compliance at 69.6%, compared to 48% in Europe, Middle East and Africa, and just 20.4% in the Americas.

Rodolphe Simonetti, global managing director, security consulting, Verizon, says: “After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences.

“We see an increasing number of organisations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data."

Verizon says there is a clear link between a lack of PCI DSS compliance and the risk of suffering data breaches. The report concludes that a compliance program without the proper controls to protect data has a more than 95% probability of not being sustainable and is more likely to be a potential target of a cyberattack.

Says Simonetti: "Our data shows that we have never investigated a payment card security data breach for a PCI DSS compliant organisation. Compliance works!"

Comments: (2)

Steve Wainwright
Steve Wainwright - Utimaco - New York 12 November, 2019, 19:02Be the first to give this comment the thumbs up 0 likes

Is it a marketing fail? Those of us in the industry know  PCI but the public does not. Branding to help build consumer awareness & choice and motivate adoption would go a long way.

A Finextra member
A Finextra member 04 December, 2019, 15:31Be the first to give this comment the thumbs up 0 likes

The imposition of PCI DSS standards on merchants in particular was the biggest and most expensive shift in corporate responsibility from the card schemes to merchants which forced them to comply with complex rules, audits and compliance measures which were never ending. The card schemes should accept full responsibility for maintaining a product (card payments) the function and operation of which are no longer fit for purpose. It's THEIR problem and they should have addressed it years ago.