Companies struggle to maintain PCI compliance within a year of meeting it, according to a new payment security report by Verizon.
The number of businesses achieving full compliance with their annual Payment Card Industry Data Security Standard (PCI DSS) review reached a record 55.4% last year, but nearly half of companies fall out of compliance within a year, according to the Verizon 2017 Payment Security Report.
Even more telling: in all of the nearly 300 payment card data breaches that Verizon investigated in 2010 to 2016, the businesses hit were not fully PCI DSS-compliant at the time of their breach.
Why is it so hard for business to maintain PCI compliance after achieving it?
Some were never actually compliant. The sad truth is that many of the PCI Self-Assessment Questionnaires are completed as compliant when the requirements have not actually been met. Whether intentional or a misinterpretation of the requirements or controls in place, the result is the same and leaves the organization open for penalties and litigation beyond the cost of the breach.
Compliance is not ever finished. Too many organizations look at compliance as something to be achieved just in time for the audit, and then forgotten until it’s audit time again. Compliance needs to be an ongoing endeavor – which is why PCI compliance specifically requires quarterly and annual testing as well as 24/7/365 monitoring of the Cardholder Data Environment. These requirements are critical to maintain PCI compliance.
Lack of resources can defeat even the best of intentions. Your IT team has to keep things running day-to-day, which pulls them away from focusing on maintaining PCI compliance. Outsourcing a Managed PCI program can help keep you on track.
Click to view a case study for one of our PCI Managed program clients.