Here at Spreedly we pay a lot of attention to PCI DSS compliance. As a company that handles millions of payment transactions on behalf of our customers we are a PCI Level 1 Service Provider. And one of our core offerings is a set of solutions that securely capture and collect payment methods, helping our customers reduce their PCI scope. So, we received Verizon‚Äôs 2017 Payment Security Report with interest. The report delves into the detail of payment security and PCI DSS compliance and analyzes compliance patterns and control failures from global, regional, and industry perspectives. Spreedly's customers are international and span multiple industries, including the industries covered in the report.
The Verizon report focuses on the challenges in sustaining payment card security.
Organizations are required to not only achieve 100.0% compliance with the PCI DSS, but also to maintain it. This means having all applicable security controls continuously in place. We measured organizations during interim assessment to determine the percentage that achieved full compliance for each Key Requirement.
The report finds that while sustained PCI DSS compliance is on an upward trend - from 11.1% in 2012 to 55.4% in 2016 - nearly half of companies fell out of compliance within 9 months of validation, putting them at risk. Of those organizations that were breached, Verizon determined that none were fully compliant with regulations at the time of their breach. So what‚Äôs happening? Why are companies falling out of compliance? The report strongly suggests that this is happening because companies do not have the proper controls in place to maintain compliance over time.
Of the four industries analyzed - Financial Services, Hopsitality, Information Technology, and Retail - here‚Äôs how they compare with respect to the best and worse compliance:
Uh oh. Retail, and especially Hospitality business, are most at risk. Bad news if you are an e-commerce concern in either of these industries, but good news for Spreedly as this presents opportunities :-)
Becoming PCI DSS compliant consists of meeting 12 Key Requirements. The Verizon report evaluates how the four industries perform in each of the requirements. Of particular interest to Spreedly is Key Requirement 3 (Protect stored cardholder data) and Requirement 4 (Protect data in transit). These are two requirements that Spreedly‚Äôs solutions directly address, not only at the outset of implementation but on an ongoing basis as well.
Protect stored cardholder data - 80.1% of companies assessed after a data breach were not in compliance with this requirement, with the worst offenders being in Retail and Hospitality.
Protect data in transit - 20.8% of companies assessed after a data breach were not in compliance, with the worst offender being Retail.
Organizations are required to not only achieve 100.0% compliance with the PCI DSS, but also to maintain it. When it comes to protecting stored cardholder data and protecting data in transit, Spreedly's solutions reduce PCI scope not only at the outset but on an ongoing basis, and we work directly with companies in both hospitality and retail. Visit our website for more information on our PCI compliant payment solutions or sign up for a free trial.