Despite the wave of costly data breaches over the last few years, nearly half of global firms that accept plastic are still failing to meet Payment Cards Industry (PCI) security standards, according to a report from Verizon.
While overall PCI compliance has increased amongst global businesses, just 55.4% of organisations assessed by Verizon passed their interim assessment in 2016, compared to 48.4% in 2015.
This means that nearly half of retailers, restaurants, hotels and other business that take card payments are still failing to maintain compliance from year to year.
And of all payment card data breaches Verizon investigated, no organisation was fully compliant at the time of breach, and showed lower compliance with 10 out of the 12 PCI DSS key requirements.
Rodolphe Simonetti, global managing director, security consulting, Verizon, says: "There is a clear link between PCI DSS compliance and an organization's ability to defend itself against cyberattacks."
"Whilst it is good to see PCI compliance increasing, the fact remains that over 40% of the global organisations we assessed - large and small - are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year — and many much sooner."
According to the report, IT services achieved the highest full compliance of all key industry groups studied. Globally, about 61% of firms in this sector achieved full compliance, compared to 59% of financial services organisations, 50% of retail firms and 43% of hospitality companies.
Verizon uses an FS industry firm as an example of how standards can be missed. The unnamed outfit sought exemption from the Wi-Fi requirements of PCI DSS but was surprised to learn that it did in fact have a wireless network operating in its building - causing it to fail.
"The IT admin had got tired of traipsing from the server room in the basement to the IT department on the third floor, and so had installed a router to access the servers from his desk," says Verizon.
Troy Leach, CTO, PCI Security Standards Council, says: "The report highlights the challenges organisations have to consistently maintain security controls on an ongoing basis, leaving their cardholder data environments vulnerable to attack.
"This trend was a key driver for changes introduced in PCI Data Security Standard version 3.2., which focus on helping organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process."