This past year introduced enough challenges to the cybersecurity landscape and payment processing industry thanks to a steady stream and constant reporting of new data breaches and intrusion attempts. So when January 1, 2015 rolled around and many were faced with a transition to version 3.0 of the Payment Card Industry Data Security Standard, retailer and B2B commerce sectors let out a collective sigh of frustration.
Obviously, the introduction of PCI DSS 3.0 didn’t initially seem like good news, but as 2015 got closer, more merchants identified the benefits of improved regulations. Despite an eagerness to implement cybersecurity solutions, complying with these new PCI security standards isn’t an easy process. In fact, some businesses have yet to meet older versions of the Payment Card Industry compliance requirements.
A recent report from Verizon identified the struggles and successes of organizations that have achieved the PCI DSS compliance requirements, and perhaps discovered that there is a lack of those types of businesses. Completing assessments last year at “Level 1 merchants,” which are defined by the PCI Security Standards Council as companies that process more than 6 million transactions per card brand per year, Verizon found that the percentage of fully compliant organizations almost doubled between 2013 and 2014, with the percentage of fully compliance organizations now at 20 percent.
It seems that as merchants become more familiar with industry expectations, they’re getting better at PCI DSS compliance. Verizon’s report found that over 80 percent of organizations were able to meet 90 percent of all subcontrols and testing procedures in order to comply with PCI DSS. Additionally, for the first time since Verizon has been assessing PCI DSS compliance in the past three years, all businesses employed at least a quarter of the required subcontrols and testing procedures.
“Four out of every five merchants are noncompliant with PCI DSS.”
The bad news
However, the Verizon report wasn’t all great news for PCI DSS compliant organizations. After all, four out of every five merchants are noncompliant, indicating some serious gaps in cybersecurity for a majority of businesses, according to the source. Furthermore, only 28.6 percent of companies that achieved full PCI compliance were likely to remain up to those standards less than a year after a successful PCI validation.
As for the reasons behind a lack of compliance, one requirement specifically caused a problem. Out of the 12 new standards, the 11th requirement is the only one that saw a decrease in PCI DSS compliance between 2013 and 2014, according to Verizon. This is a huge problem, as TechTarget reported that penetration testing is the most important improvement in PCI DSS 3.0. However, the source noted that businesses have until June 30, 2015 before that best practice becomes a standard, so there is time to comply.
Of course, it’s always important to remember that PCI DSS compliance should be a starting point, not the end cybersecurity goal. Stephen Orfei, general manager of the PCI Security Standards Council, told ComputerWeekly the past 12 months indicated that current security techniques are not stopping cyberattacks, and with no silver bullet for breach prevention, merchants must establish multi-layer approaches that include monitoring and active preparation in the face of new threats.
To go beyond PCI DSS 3.0 compliance, organizations should turn to cutting-edge payment processing solutions that easily integrate with existing systems, making cybersecurity just another daily process.