2017 Payment Security Report
Revealing the challenges in sustaining payment card securityby Ciske van Oosten | Verizon RISK Team | 11/07/2017
In 2016, for the first time, more than half (55.4%) of organizations were fully PCI DSS (see below) compliant at interim validation—compared with 48.4% in 2015. Full compliance has increased almost five-fold compared to our analysis of 2012 assessments.
Despite this general improvement, the control gap of companies failing their interim assessment has actually grown worse. In 2015, companies failing their interim assessment had an average of 12.4% of controls not in place (6.8% across all companies). In 2016, this increased to 13.0% (5.8%).
Many of the security controls that were not in place cover fundamental security principles that have broad applicability. Their absence could be material to the likelihood of an organization suffering a data breach. Indeed, no organization affected by payment card data breaches was found to be in full compliance with the PCI DSS during a subsequent Verizon PCI forensic investigator (PFI) inquiry.
This report delves into the detail of payment security and PCI DSS compliance and analyzes compliance patterns and control failures from global, regional, and industry perspectives. It’s the only major industry publication based on data from real compliance validation assessments.
The inclusion of insights from our Data Breach Investigations Report (DBIR) specific to companies that have suffered from payment card data breaches makes this report a unique resource for compliance professionals.
To read more, please log in
A Q&A with Thom Rickert of Trident Public Risk Solutions
Thom Rickert, vice president, emerging risks specialist for Trident Public Risk Solutions - Argo Group US, has specialized in public entity insurance for 35 years. In light of recent public entity cyber breaches like the ransomware attack we saw in Atlanta in March 2018, Rickert is increasingly concerned about how public entities can control and mitigate cyber risk. In our conversation, he explained why so many of these organizations are vulnerable and what can be done to shore up their security.