The new PCI DSS 4.0 standard means organizations will have to up their game beginning in 2024.
While compliance with the PCI Data Security Standard has improved significantly in 2020, it is still well off its 2016 highs, according to the 10th 2022 Verizon Payment Security Report.
Data security compliance has improved, but a new standard will push organizations further
“Following three years of full compliance in decline (2017 to 2019), organizations focused their attention on improving security management and governance, resulting in significant gains across six of the 12 Key Requirements [of the PCI DSS standard],” the report said.
In response to ever escalating cyberthreats in the payments industry, the PCI Security Standards Council instituted its most ambitious rewrite of the PCI DSS since 2004, the report said. Released earlier this year, PCI DSS version 4.0 will go into effect in 2024.
“The latest update will help organizations ensure that data security controls remain relevant and effective in a shifting landscape,” the report said.
Aside from detailing changes in PCI DSS compliance, the report also lays out a roadmap for organizations implementing version 4.0 of the PCI DSS standards.
“Since the release of PCI DSS v1.0 in 2004, most organizations continue to struggle with achieving and maintaining effective, sustainable payment card data security,” the report said. “Those that succeed in maintaining all their PCI DSS requirements year-round—rather than ongoing remediation for the sake of passing an annual assessment—implement a strategy and design based on sustainable, well-developed goals.”
SEE: Mobile device security policy (TechRepublic Premium)
How organizations are maintaining data security compliance
The 2022 PSR found that overall PCI DSS compliance improved significantly in 2020, with 43.4% of organizations maintaining full compliance, a 15.5% improvement over the record low of 27.9% in 2019. But these numbers are well off the all time highs achieved in 2016 when 55.4% of organizations reported to be in full compliance.
Even though 57% of organizations failed their interim validation assessment due missing security controls, the security control gap improved from 7.7% in 2019 to a 4.0% in 2020. The control gap is the difference between the measured state of compliance vs. having 100% of required controls in place, the report said. A low gap number is good and a high gap number is bad.
The report also noted a significant increase in the use of compensating controls, with 30.1% of organizations across the globe applying one or more compensating controls—a 5.4% increase from 24.7% in 2019. A compensating control is used when organizations are unable to meet a key requirement as stated in PCI DSS.
The key requirements organizations meet most consistently continue to be restricting access to data, protecting data in transit, protecting the network against malicious software and controlling physical access. Over 80% of organizations meet these key requirements, the report said.
These are followed by protecting stored cardholder data, authenticating access and maintaining firewalls. These key requirements are met by just 70% of organizations.
The worst-performing requirements continue to be regularly testing security systems and developing and maintaining secure systems. Fewer than 70% of organizations maintain these requirements, the report said.
Additional report findings highlight improvements in security testing, with 60.1% or organizations in 2020 vs. 51.9% in 2019 successfully testing security systems, processes and unmonitored system access.
“Despite compliance improvements, we know that bad actors are still out there and stronger than ever,” said Ciske Van Oosten, Head of Global Business Intelligence, Verizon Cyber Security Consulting, in a press release.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
About the report
The Verizon 2022 PSR report is based on the analysis of quantitative data gathered by QSAs from multiple Qualified Security Assessor Company (QSAC) organizations across the world. The dataset for this edition is based on information from five sources, four of them external to Verizon.
