Verizon recently released their 2022 Payment Security Report. The report covers a broad range of topics – from the most noteworthy changes in the newest version of the Payment Card Industry Data Security Standard (PCI DSS) to the most meaningful ways for security leaders to create goals for their organization.
The report also includes a snapshot of how companies have been trending when it comes to PCI compliance. So: how does your organization measure up?
In 2019, only 27.9 percent of companies were 100 percent compliant with the PCI DSS.
In 2020, that number jumped to 43.4 percent.*
*Note: these were the most recent statistics covered in the 2022 Payment Security Report.
Over the course of a year, more than 15 percent of businesses were able to successfully bring their organizations in compliance with the latest payment card security requirements. (A reminder: compliance is mandatory for any business that stores, processes, or transmits cardholder data.)
Encouraging progress? Absolutely. However, that still means that more than half of companies still have work to do to bring their security programs up to standard.
If you’re one of those companies, you’re far from alone. However, there’s no better time to bring your organization up to speed.
With the newest version of the PCI DSS (v4.0) coming into full effect in 2024 – and giving companies more flexibility than ever in how they meet the requirements – you’re looking at a golden opportunity to evaluate your security controls and make sure you’re adequately protecting your customers’ credit card data.
Of course, compliance isn’t always black and white.
Companies may not be 100% compliant with every single PCI requirement, but that doesn’t mean they can’t be working towards that goal.
To that end, Verizon broke down the individual requirements where companies were the strongest – and the weakest. Here’s what they found:
PCI requirements with the highest levels of compliance:
- PCI Requirement 4 – Protect cardholder data with strong cryptography during transmission (90.8 percent)
- PCI Requirement 7 – Restrict access to system components and cardholder data by business ‘need to know’ (90.8 percent)
- PCI Requirement 5 – Protect all systems and networks from malicious software (88.4 percent)
PCI requirements with the lowest levels of compliance:
- PCI Requirement 11 – Test security of systems and networks regularly (60.1 percent)
- PCI Requirement 6 – Develop and maintain secure systems and software (70.5 percent)
- PCI Requirement 2 – Apply secure configurations to all system components (70.5 percent)
And those that fell in the middle?
PCI requirements with “middle ground” compliance:
- PCI Requirement 9 – Restrict physical access to cardholder data (85 percent)
- PCI Requirement 3 – Protect stored account data (84.4 percent)
- PCI Requirement 8 – Identify users and authenticate access to system components (83.2 percent)
- PCI Requirement 1 – Install and maintain network security controls (78 percent)
- PCI Requirement 10 – Log and monitor all access to system components and cardholder data (76.3 percent)
- PCI Requirement 12 – Support information security with organizational policies and programs (75.1 percent)
How close – or far – are companies from full compliance?
Again: it’s important to remember that compliance isn’t black and white. Not being 100 percent compliant with every aspect of a particular requirement doesn’t mean that a company isn’t making progress in the right direction.
To measure that progress, the 2022 Payment Security Report also measures a statistic called the “average control gap.”
This measure represents the gap between a company’s current state of compliance and the optimal target of full, 100 percent compliance. The lower the gap, the closer the company is to meeting all of their requirements.
The average control gap shrunk considerably in this year’s report, down to 4 percent in 2020 from 7.7 percent in 2019.
When looking at individual requirements – not just all requirements as a whole – the requirements with the largest gaps were:
- Requirement 10
- Requirement 11
- Requirement 2
Bring your company closer to compliance
Given these statistics, it’s clear that PCI compliance is a complicated task. This is true for companies that have large, well-funded security departments – and even more true for those without designated compliance resources.
However, the burden of compliance doesn’t have to be so intimidating. Even something simple, such as outsourcing the handling of credit card data, can help you reduce your PCI scope. Instead of taking on the longest and most complicated requirements yourself, you can rely on a PCI-Certified Service Provider to help you protect your customers’ data.
Interested in improving your payment card security program? Contact Curbstone to find out how we can help you accept credit and debit card payments without processing, storing, or transmitting the data on your system – considerably reducing the amount of work you have to do to meet your compliance requirements.