PCI DSS
PCI DSS Compliance Trends
Over the past three years, overall average compliance grew from 53% to 94%, an increase of 77%. Over the same period, full compliance increased from less than 8% to 20%, a 167% change.
PCI DSS Compliance Improves Somewhat in 2014
The number of organizations that achieved full compliance grew from 11% in 2013 to 20% in 2014, reducing the number that were non-compliant from 89% to 80%.
State of PCI DSS Compliance
More than 90% of all controls, subcontrols, and testing procedures were passed by 80% of companies, a significant increase from last year. Only 25% were passed by all companies assessed, and the highest any control scored in 2013 was 98%.
The Nature of PCI DSS Compliance
On average, compliance with 11 of 12 PCI DSS requirements increased 18 percentage points. The biggest increase was in authenticating access. The only area where compliance fell was testing security systems.
Reduction in Scope
A full 87% reported making some effort to take data out of scope for PCI DSS compliance using a variety of methods. Another 62% reported moving affected data beyond their control by relying on third-party providers. A full 96% are also using firewalls and routers to control access to data.
Spear-Phishing the Password
Four out of five breaches stemmed from authentication-based tactics, where attackers attempted to guess, crack or reuse valid credentials.
Unencrypted Data Is Primary Target
Attackers often focus on compromising stored data. Almost half (48%) of compromises related to payment card data breaches involved data that was unencrypted.
Use of Anti-malware SoftwareThis is the only control category that witnessed a drop in compliance, from 96% to 92% in 2014.
Managing the Insider Threat
A full 96% of companies were compliant in limiting data access to just those individuals whose job requires such access.
The Ultimate Fail
Of all the data breaches investigated by Verizon in the last 10 years, not a single company has been found to be fully compliant at the time of the breach.