If your organization processes credit or debit card information, you’re probably already familiar with the Payment Card Industry Data Security Standard (PCI DSS), the regulatory standard enacted to prevent large data breaches like the ones you hear about frequently – the ones that make headlines for all the wrong reasons.
Here are a few PCI DSS compliance statistics you may have missed and ones to keep in mind as you consider your own organization’s security stance and vulnerabilities.
1. Organizational PCI DSS compliance has unfortunately been on a downward trend since 2016, according to Verizon’s latest Payment Security Report, down 8.8 percentage points over the previous year (2019).
2. The Verizon report found that only 27.9 percent of organizations achieved full compliance with PCI DSS during their interim validation in 2019.
3. As expected, within the retail industry, 99 percent of incidents were financially motivated, with payment data remaining the most-sought-after and lucrative commodity by threat actors. The report does indicate that web applications, rather than point-of-sale (POS) devices, are now the main vector for retail breaches.
4. Even with all of this risk, security spending comprises an average of just 7 percent of organizations total IT budget.
Aren’t Companies Aware of Breaches to Customer Payment Information?
5. Apparently not. As 91 percent of attacks did not generate an alert. With only 9 percent of attacks receiving alerts, most security teams do not have the visibility they need into serious threats.
6. In addition, 53 percent of attacks successfully infiltrated environments without detection.
7. Just 33 percent of attacks were prevented by the security tools in place.
Which Industries Are Least Compliant with PCI DSS?
According to the Verizon report, the least compliant key industries identified were retail, financial and hospitality.
8. The numbers show a clear trend, with a 27.5 percentage-point drop in compliance since 2016, illustrating organizations are still not taking all the necessary steps to ensure customer payment data is secure.
Are Organizations on Top of Their Security Controls?
9. About half of organizations are testing their security mechanisms. However, only a little more than half (51.9 percent) successfully test their security systems and processes.
10. In slightly better news, 7 out of 10 organizations are at least maintaining their security controls.
11. And, about two-thirds (66.2 percent) are doing what it takes to track and monitor their system access.
These numbers indicate that there is a strong need for management to buy into security initiatives to better align with their organizational agenda. Businesses need better security, and that includes ensuring a secure file transfer solution is in place.
Related Reading: Why Businesses Need MFT
While these compliance statistics illustrate only a brief snapshot of the situation, it’s common across all types of organizations to feel unsure about meeting PCI DSS requirements.
As the IT infrastructure becomes more complex every day, PCI DSS rules change frequently, and many companies lack up-to-date expertise, the Verizon report suggests that a more long-term vision needs to be put into place as opposed to what often amounts to as short-term fixes.
What’s the Cost of Non-Compliance?
12. Non-compliance is far from cheap. You can expect financial penalties from anywhere between $5,000 and $10,000 a month or more for violations of PCI compliance rules, along with added penalties and increased transaction feeds.
Related Content: ROI of Managed File Transfer Calculator
Don't Most Companies Comply with PCI DSS?
Surprisingly, no. In Verizon's 10 years of having a forensics team investigate PCI DSS compliance, they have never found a company that was fully PCI DSS compliant at the time it was breached.
13. In a 2020 Study from SecurityMetrics, only 43 percent of PCI DSS requirements were met at the time of a data breach. In fact, none of the organizations were 100 percent compliant at the time of a breach. And the vulnerabilities that attackers used to gain access to these merchant systems were ones covered by specific sections of the PCI DSS.
Are PCI DSS Compliance Investigations E-Commerce or POS Related?
14. According to SecurityMetrics, in 2020, approximately 65 percent of payment-card-related investigations were of e-commerce breaches compared to 2017. Just three years ago, only 33 percent of investigations were e-commerce breaches
Just How Exposed is PCI Data?
15. SecurityMetrics Forensic Investigators found the following information from 2019 breaches:
- It took an average of 43 days from the time an organization was vulnerable for an attacker to compromise the system.
- The average organization was vulnerable for 699 days.
- Cardholder data was captured for an average of 532 days.
- Remote access and injection played a role in 66 percent of breaches.
If you’re having trouble justifying the cost of robust security solutions, this is what you need to think about: being complacent about PCI DSS compliance today could lead to years of lost customers and a damaged reputation for your brand.
It’s clear that many organizations are struggling with PCI DSS compliance. However, it doesn’t have to be difficult. Seek out security software solutions that protect your valuable data using up-to-date methods, end-to-end encryption, generate detailed logs to keep auditors happy, and allow you to easily test for PCI DSS compliance.
Is Your Business Well Positioned for PCI Compliance?
Download the white paper to examine how a Managed File Transfer (MFT) solution can help your company stay ahead of PCI compliance requirements with data transfers. This PCI Compliance white paper also outlines which specific PCI DSS requirements an MFT solution can address, and flags the key features you should look for and evaluate when selecting secure file transfer software.
