Report: Downward Trend in PCI Compliance

BASKING RIDGE, NJ—Verizon has released its “2018 Payment Security Report,” which looks at the progress organizations have made toward compliance.

For the first time, the report is showing a downtrend with companies failing compliance assessment or not maintaining full compliance. Amongst the other key findings:

  • The hospitality industry came in at just 38.5% fully compliant, the lowest compliance score compared to other industries.
  • In a number of categories, hospitality came in dead last compared to other industries. This included protecting data transit (61.5% compliant), maintaining a firewall (69.2% compliant) and protection against malware (76.9% compliant).

“PCI Compliance standards are slipping across global businesses and this simply can’t continue,” said Rodolphe Simonetti, global managing director for security consulting, Verizon. “Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs. We urge businesses to reassess their measurement methodologies for PCI control effectiveness and to concentrate on managing the sustainability of their data protection.”

“Data-sharing and cross-industry collaboration is vital to understand the evolving threat landscape and to progress global payment security. As evident in this report, organizations continue to face challenges maintaining high-levels of security and demonstrating ongoing compliance in rapidly changing environments,” said Troy Leach, CTO of the PCI Security Standards Council. “Organizations should pay close attention to the findings in the report to remain vigilant for key learnings on how to remain secure. Compliance should never be seen as the end goal for security but rather a measurement for an organization’s continued success in protecting data.”

This year’s report includes the results from PCI assessments conducted by Verizon’s team of PCI Qualified Security Assessors for Fortune 500 and large multinational firms in more than 30 countries. Similar to Verizon’s “Data Breach Investigations Report” series, the report is based on actual casework with a specific focus on financial services (58%); IT services (15%), retail (13%) and hospitality (11%). Geographies include the Americas (48%), the Asia-Pacific region (30%) and Europe (23%).