PCI DSS
Over the past three years, overall average compliance grew from 53% to 94%, an increase of 77%. Over the same period, full compliance increased from less than 8% to 20%, a 167% change.
The number of organizations that achieved full compliance grew from 11% in 2013 to 20% in 2014, reducing the number that were non-compliant from 89% to 80%.
More than 90% of all controls, subcontrols, and testing procedures were passed by 80% of companies, a significant increase from last year. Only 25% were passed by all companies assessed, and the highest any control scored in 2013 was 98%.
On average, compliance with 11 of 12 PCI DSS requirements increased 18 percentage points. The biggest increase was in authenticating access. The only area where compliance fell was testing security systems.
A full 87% reported making some effort to take data out of scope for PCI DSS compliance using a variety of methods. Another 62% reported moving affected data beyond their control by relying on third-party providers. A full 96% are also using firewalls and routers to control access to data.
Four out of five breaches stemmed from authentication-based tactics, where attackers attempted to guess, crack or reuse valid credentials.
Attackers often focus on compromising stored data. Almost half (48%) of compromises related to payment card data breaches involved data that was unencrypted.
This is the only control category that witnessed a drop in compliance, from 96% to 92% in 2014.
A full 96% of companies were compliant in limiting data access to just those individuals whose job requires such access.
Of all the data breaches investigated by Verizon in the last 10 years, not a single company has been found to be fully compliant at the time of the breach.