Verizon has recently released the 2015 report on PCI Compliance which has provided some key insights into the current practices in industry. Though on the face of it the report indicated that about 80% of the companies were validated as PCI DSS compliant in internal assessments, the reality the compliance was not sustained over a period of time. The report highlights the fact that only 28.6% of companies actually maintained their compliance status on all the 12 controls they committed to under the PCI DSS audit. It was therefore not surprising that data breaches detected in 9700 sampled companies, indicated over 43 million security incidents in 2014 showing a compounded annual growth of 66% since 2009 and an increase of 29% over the previous year.
On the positive side, the survey indicated that though the sustainability of compliance dropped off soon after the validation, compliance in 11 of the 12 compliance factors actually saw an improvement with the biggest compliance being in authentication access. The compliance drop was noticed in compliance of testing procedures.
The study indicated that “Maintenance of policy addressing security awareness building” within the workforce was one of the neglected aspects of compliance with a measly 4% increase in compliance effort.
The report is an eye opener to organizations that it is not enough if an information security assessment is done at a point of time but there is a need to sustain the compliance as an ongoing practice in the organziation. There is therefore a need to assess the controls that specifically address the “Sustainability” of compliance efforts so that the benefits of an assessment and validation is retained for a longer time. Alternatively, organizations can try if the internal reassessment schedules may have to be undertaken at more frequent intervals in the hope that this will help in the improvement of the sustainability factor.