Here at Spreedly we pay a lot of attention to PCI DSS compliance. As a company that handles millions of payment transactions on behalf of our customers we are a PCI Level 1 Service Provider. And one of our core offerings is a set of solutions that securely capture and collect payment methods, helping our customers reduce their PCI scope. So, we received Verizon’s 2017 Payment Security Report with interest.
The report delves into the detail of payment security and PCI DSS compliance and analyzes compliance patterns and control failures from global, regional, and industry perspectives. Spreedly’s customers are international and span multiple industries, including the industries covered in the report.
The Verizon report focuses on the challenges in sustaining payment card security.
“Organizations are required to not only achieve 100.0% compliance with the PCI DSS, but also to maintain it. This means having all applicable security controls continuously in place. We measured organizations during interim assessment to determine the percentage that achieved full compliance for each Key Requirement.”
The report finds that while sustained PCI DSS compliance is on an upward trend – from 11.1% in 2012 to 55.4% in 2016 – nearly half of companies fell out of compliance within 9 months of validation, putting them at risk. Of those organizations that were breached, Verizon determined that none were fully compliant with regulations at the time of their breach.
So what’s happening? Why are companies falling out of compliance? The report strongly suggests that this is happening because companies do not have the proper controls in place to maintain compliance over time.
Of the four industries analyzed – Financial Services, Hopsitality, Information Technology, and Retail – here’s how they compare with respect to the best and worse compliance:
- Hospitality performed the worst, with only 42.9% achieving full compliance at interim assessment.
- Only 50% of Retail organizations failed to be fully compliant at interim.
- About three-fifths (59.1%) of Financial Services organizations achieved full compliance at interim assessment.
- Information Technology did the best with full PCI DSS compliance at interim, at 61.3 percent.
Uh oh. Retail, and especially Hospitality business, are most at risk. Bad news if you are an e-commerce concern in either of these industries, but good news for Spreedly as this presents opportunities :-)
Looking Further Into Hospitality & Retail
Becoming PCI DSS compliant consists of meeting 12 Key Requirements. The Verizon report evaluates how the four industries perform in each of the requirements. Of particular interest to Spreedly is Key Requirement 3 (Protect stored cardholder data) and Requirement 4 (Protect data in transit). These are two requirements that Spreedly’s solutions directly address, not only at the outset of implementation but on an ongoing basis as well.
Protect stored cardholder data – 80.1% of companies assessed after a data breach were not in compliance with this requirement, with the worst offenders being in Retail and Hospitality.
Hospitality Findings – Typically hotels, restaurants and travel and tourism companies
- Less than half (42.9%) of Hospitality organizations achieved full compliance at interim – the lowest of the four key verticals.
- Only a quarter (25.0%) of Hospitality organizations in the Americas achieved full compliance at interim assessment. In comparison, half of those in Europe and 80.0% of similar companies in Asia Pacific achieved this level.
- Protecting stored data declined by 3.8%. Hospitality companies performed particularly poorly against control 3.1, Keep data storage to a minimum.
Protect data in transit – 20.8% of companies assessed after a data breach were not in compliance, with the worst offender being Retail.
Retail Findings – Merchant organizations that sell to consumers. This covers both bricks and mortar stores and e-commerce businesses.
- Half of Retail organizations achieved 100% compliance at interim assessment, compared with 57.1% the previous year. This fall occurred across all 12 Key Requirements.
- Just 46.7% of Retail organizations in the Americas achieved full compliance at interim assessment. Those in Europe did only slightly better (50.0%)
- Protecting data in transit had an abysmal performance in the Retail industry. It was the least compliant key requirement, with just 80.0% of companies assessed found to be fully compliant. This was the lowest score for any of the key industries.
- Protecting stored data declined dramatically, falling from 85.7% to 65.0%.
Organizations are required to not only achieve 100.0% compliance with the PCI DSS, but also to maintain it. When it comes to protecting stored cardholder data and protecting data in transit, Spreedly’s solutions reduce PCI scope not only at the outset but on an ongoing basis, and we work directly with companies in both hospitality and retail. Visit our website for more information on our PCI compliant payment solutions or sign up for a free trial.