PCI Compliance: 80% of merchants fail to maintain it

Four out of five organizations that achieve PCI compliance will fail an assessment less than one year later. That finding comes from Verizon’s 2015 compliance report for the Payment Card Industry Data Security Standard.

The report paints a picture of an industry too focused on one-off assessments. Not enough attention is paid to creating a secure environment and maintaining PCI compliance for the other 364 days of the year.

The data comes from Verizon’s team of security assessors, breach investigators, and other security experts as they worked with clients from 2012 through 2014.

Highlights of the report:

Compliance is easy – maintaining it is hard

One thing to clarify about this report, it uses data from two different types of PCI assessments:

  • Final report on compliance (FRoC) – This report is given to each merchant after an annual PCI compliance assessment.
  • Interim report on compliance (IRoC) – This report is comes after a FRoC. It’s the result of an interim assessment conducted less than one year after a merchant successfully validated PCI DSS compliance.

In other words, the interim report shows whether merchants are maintaining compliance – and the results are not good. Only 1 in 5 organizations (20%) is compliant less than one year after a successful validation.

PCI compliance 2014 interim assessment chart

So 80% of merchants fail the assessment less than one year after validating their PCI compliance.

How can this happen? Reasons offered in the report include a widespread lack of procedures for managing and maintain compliance. Controls are poorly designed or poorly implemented, and there is too much reliance on error-prone and costly manual operations. All this adversely affects business efficiency and security.

Related - PCI Security: Banks don't want you to comply

No company is PCI compliant at breach

We have argued many times that PCI compliance does not equal security. An organization that focuses solely on the requirements will be disappointed by the protection they provide. Effective security cannot be mandated by a set of industry regulations.

That said, Verizon has never seen a company breached while PCI compliant. In 10 years, every breach occurred while the merchant neglecting at least one requirement, according to the report.

What does this tell us? Although PCI DSS compliance does not equal security, it’s better than nothing. Many of the controls required by PCI DSS will help organizations improve security, even if they are not an effective blueprint for building a safe and secure environment.

Two PCI requirements highly correlated with breach

Verizon’s team really dug into the data for this report. They even looked at organizations that were breached to understand how their PCI compliance changed between an interim assessment and the security incident that came later.

Two requirements that EVERY breached organization failed to meet in 2014:

  • Requirement #6. Develop and maintain secure systems and applications
  • Requirement #10. Track and monitor all access to network resources and cardholder data

The report’s authors say fulfilling these two requirements is likely to give you the “biggest bang for your compliance buck.” Failure to comply with them is more closely associated with having a breach than the other requirements.


Steady rise in security incidents

Anyone who lived through 2014 can tell you security incidents are rising. Verizon’s report quantifies the general feeling felt across the industry.

Security incidents have increased 66% on average every year since 2009. In 2014, the increase nearly hit 50% with total reported incidents at 43 million.

Expect rise in card-not-present fraud

EMV cards, also known as “chip and pin” or “chip and signature” cards, are growing in the U.S. and are expected to become standard by the end of the year. Merchants have to begin accepting them by October or become liable for all fraudulent card-present transactions on their systems. That shift in liability is expected to drive widespread adoption.

Canada introduced the cards in 2008, and looking at the country’s experience shows us we can expect a drop in card-present fraud. However, we can also expect a sharp rise in card-not-present fraud as criminals change tactics.

EMV card not present losses 2014

You can see a clear decline in Canada’s lost/stolen fraud between 2008 and 2013 and a clear rise in card-not-present fraud. The net result appears to be a slightly larger volume of total losses. Will the U.S. see the same trend? Only time will tell.

Also: mobile payments get a lot of news, but their popularity is dwarfed by the number of card transactions. Card use is growing in every region of the world. In the U.S., credit and debit cards account for two-thirds of all purchases by value.


Related resources

Merchants Struggle with PCI DSS compliance as Deadline Passes

PCI DSS Security: Banks don’t want you to comply

PCI DSS: Easier and cheaper compliance with SAQs

PCI DSS Version 3.0 – PCI Security Standards Council – pdf

How AccessEnforcer Fits with PCI DSS


Written by Calyptix

 - March 18, 2015

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram