Every year, Verizon publishes a report on PCI DSS and the key findings from the year. 2019 was no different.

One of the most interesting findings of this report is how few organisations have a programme in place to measure the maturity of the PCI compliance program. Approximately 60% of organisations that were surveyed did not have a program to apply capability and maturity models to measure their PCI security program’s maturity.

Other interesting numbers include:

  • Only 36.7% of organisations were actively maintaining PCI DSS programmes in 2018, a 20% decline from 2016.
  • Only 18% of organisations measure their PCI DSS controls more frequently than what PCI DSS requires.
  • No organisations were fully compliant at the time of a cardholder data breach. The biggest issues were with:
    • Requirement 3: Protection of cardholder data at rest
    • Requirement 8: Identification and authentication
    • Requirement 10: Logging and monitoring
    • Requirement 11: Security testing
    • Requirement 12: Security policy, governance, and service provider management
  • Approximately 35% of organisations suffered a compromise that involved a mobile device. Most of these compromises were major.

One positive note to take away from this report is that organisations in the APAC region were regularly outperforming their global counterparts. However, the same findings were there, just in slightly lower numbers.

Confide can help you understand gaps in your security process and to help measure the maturity of your PCI compliance programs. Contact us for more information.