2017 Payment Security Report
Revealing the challenges in sustaining payment card securityby Ciske van Oosten | Verizon RISK Team | 11/07/2017
In 2016, for the first time, more than half (55.4%) of organizations were fully PCI DSS (see below) compliant at interim validation—compared with 48.4% in 2015. Full compliance has increased almost five-fold compared to our analysis of 2012 assessments.
Despite this general improvement, the control gap of companies failing their interim assessment has actually grown worse. In 2015, companies failing their interim assessment had an average of 12.4% of controls not in place (6.8% across all companies). In 2016, this increased to 13.0% (5.8%).
Many of the security controls that were not in place cover fundamental security principles that have broad applicability. Their absence could be material to the likelihood of an organization suffering a data breach. Indeed, no organization affected by payment card data breaches was found to be in full compliance with the PCI DSS during a subsequent Verizon PCI forensic investigator (PFI) inquiry.
This report delves into the detail of payment security and PCI DSS compliance and analyzes compliance patterns and control failures from global, regional, and industry perspectives. It’s the only major industry publication based on data from real compliance validation assessments.
The inclusion of insights from our Data Breach Investigations Report (DBIR) specific to companies that have suffered from payment card data breaches makes this report a unique resource for compliance professionals.
To read more, please log in
The California Consumer Privacy Act and the Future of Privacy Law in the US
A Q&A with Jon Neiditz of Kilpatrick Townsend & Stockton LLP
Passed in 2018 and slated to go into effect January 2020, AB 375 or The California Consumer Privacy Act (CCPA) was created to give consumers better ownership and control over their personal data but opens up a world of compliance questions for businesses that sell such data. We spoke with Jon Neiditz, who co-leads the Cybersecurity, Privacy and Data Governance practice at Kilpatrick Townsend and Stockton LLP about the Act and its implications for the future of privacy regulation.