80 Percent of Businesses Fail Interim PCI Compliance Assessment

12 March 2015

Verizon’s 2015 PCI Report Indicates Organizations Should Treat PCI Compliance as an Ongoing Focus; Lack of Compliance Linked to Data Breaches

Nearly 80 percent of all businesses fail their interim PCI Compliance assessment leaving them vulnerable to cyberattacks, according to Verizon’s just released 2015 PCI Compliance Report.  With more than two-thirds of all purchases made by payment cards, security has become more important than ever for organizations that process credit card transactions now expected to exceed $20 trillion in 2015.

In fact, 69 percent of all consumers are less inclined to do business with a breached organization, making adherence to the Payment Card Industry (PCI) Data Security Standard crucial.

In its fourth annual installment, Verizon’s 2015 report examines the state of PCI  compliance and its correlation to data breaches among organizations in the financial services, retail and travel and hospitality industries from around the world. 

This year’s findings indicate that only 28 percent of companies are still fully DSS-compliant less than a year after being validated.  While annual compliance and ongoing control standard maintenance remains low, there is some positive news in the 2015 report. 

Twice as many companies were validated as compliant at initial compliance review in 2014 as compared to 2013 and this is a positive sign the report notes.  

The two key areas where organizations fall out of compliance include regularly testing security systems and processes and maintaining firewalls.

Of all the data breaches studied, Verizon’s findings clearly show that not a single company was fully PCI-compliant at the time of the breach. 

“This finding alone has huge implications,” said Rodolphe Simonetti, managing director for Verizon’s PCI practice.  

Among key findings, the report indicates that:

  • Between 2013 and 2014 compliance went up for 11 of the 12 PCI DSS Requirements – the average increase was 18 percentage points. The biggest increase was in authenticating access (Requirement 8).
  • The only area where compliance fell was testing security systems (Requirement 11) from 40 to 33 percent. 

Another troubling trend from this year’s report is that data security is still inadequate, said Simonetti.

Given the volume and scale of data breaches in the last 12 months make it clear that current techniques are not stopping attackers – in many cases they aren’t even slowing them down. PCI DSS Compliance is must be viewed as part of a comprehensive information security and risk-management strategy.  A PCI DSS assessment can uncover important security gaps that should be fixed, but it is no guarantee that the data is safe.

 “Today’s cybersecurity landscape is constantly changing,” said Simonetti. “Compliance at a point in time isn’t sufficient to protect data. Putting the focus on making compliance sustainable is key.  It must be a part of day-to-day activities within an organization’s greater security strategy.”

2015 PCI Compliance Report from Verizon Enterprise Solutions  

This year’s report covers four years of data and includes the results from thousands of PCI assessments conducted by Verizon’s team of PCI Qualified Security Assessors for mostly Fortune 500 and large multinational firms in more than 30 countries.  Similar to the 2014 report, Verizon takes an in-depth look at each of the 12 PCI requirements, including a first-time look at compliance against the 3.0 standard with an eye toward the soon to be released 3.1 standard. 

The 2015 report also includes details how and where companies fall out of compliance once achieved.  It also will include a section explaining “how to make compliance easier,” featuring actionable recommendations for enterprises that want to stay PCI compliant.

PCI Report Findings Based on Actual PCI Assessments

Similar to Verizon’s Data Breach Investigations Report (DBIR) series, the PCI Report is based on actual casework and is the only report of its kind in the industry. This report analyzes PCI Data Security assessment data, with a specific focus on the financial services (30 percent), retail (26 percent) and hospitality (15 percent) industries across the Americas (55 percent), Europe (23 percent) and the Asia-Pacific (22 percent) region.

The 2015 PCI Report can be viewed on the Verizon website.


Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development