According to Verizon, most businesses it assessed for compliance with payment card industry data security standards (PCI DSS) in 2016 did comply with the standards, with the proportion of businesses achieving compliance rising each year since 2012.
Despite this, however, Verizon said nearly 45% of the businesses it assessed last year failed to achieve full compliance with the PCI DSS framework. According to the company's 2017 payment security report, businesses in the hospitality sector lag behind IT service providers, financial services firms and retailers in their compliance with the standards.
The PCI DSS framework requires retailers, banks and other companies involved in processing credit and debit card payments to implement a series of measures to ensure payment card data is kept secure both during and after transactions.
Rodolphe Simonetti, global managing director for security consulting at Verizon, said: "There is a clear link between PCI DSS compliance and an organisation's ability to defend itself against cyberattacks. Whilst it is good to see PCI compliance increasing, the fact remains that over 40% of the global organisations we assessed – large and small – are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year – and many much sooner."
"It is no longer the question of 'if' data must be protected, but 'how' to achieve sustainable data protection. Many organisations still look at PCI DSS controls in isolation and don't appreciate that they are inter-related – the concept of control lifecycle management is far too often absent," Simonetti said.
Troy Leach, chief technology officer for the PCI Security Standards Council, the body behind the PCI DSS regime, said: "The report highlights the challenges organisations have to consistently maintain security controls on an ongoing basis, leaving their cardholder data environments vulnerable to attack. This trend was a key driver for changes introduced in PCI Data Security Standard version 3.2., which focus on helping organisations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process."