Report: Only 42.9% of Hospitality Companies Have Full Payment Security Compliance

BASKING RIDGE, NJ—The Verizon 2017 Payment Security Report has been released, and the findings demonstrate a link between organizations being compliant with payment card security standards and the ability to defend themselves against cyber attacks.

Of all payment card data breaches Verizon investigated, no organization was fully compliant at the time of breach, and showed lower compliance with 10 out of the 12 PCI DSS key requirements. Overall PCI compliance has increased amongst global businesses, with 55.4% of organizations Verizon assessed passing their interim assessment in 2016. This is an increase from 2015, when only 48.4% of organizations achieved full compliance during their interim validation. This means that nearly half of retailers, restaurants, hotels and other business that take card payments are still failing to maintain compliance from year to year.

“There is a clear link between PCI DSS compliance and an organization’s ability to defend itself against cyber attacks,” said Rodolphe Simonetti, global managing director for security consulting, Verizon. “Whilst it is good to see PCI compliance increasing, the fact remains that over 40% of the global organizations we assessed—large and small—are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year — and many much sooner.”

According to the report, IT services industry achieved the highest full compliance of all key industry groups studied. Globally, about three-fifths (61.3%) of IT services organizations achieved full compliance during interim validation in 2016, followed by 59.1% of financial services organizations (which includes insurance companies), retail (50%) and hospitality (42.9%).

Only 25% of hospitality organizations in the Americas were fully compliant, whereas companies in Europe achieved 50% and those in Asia-Pacific had 80%. As a silver lining, hospitality experienced the highest (90.5%) increase with the Requirement 10—removing unnecessary accounts and services.

The 2017 PSR also flags the compliance challenges faced by specific business sectors. For hospitality, this included security hardening, protecting data in transit and physical security.

Simonetti continued, “It is no longer the question of ‘if’ data must be protected, but ‘how’ to achieve sustainable data protection. Many organizations still look at PCI DSS controls in isolation and don’t appreciate that they are inter-related—the concept of control lifecycle management is far too often absent. This is often the result of a shortage of skilled in-house professionals—however, in our experience, internal proficiency can be dramatically improved with lifecycle guidance from external experts.”

Troy Leach, chief technology officer for the PCI Security Standards Council, said, “The report highlights the challenges organizations have to consistently maintain security controls on an ongoing basis, leaving their cardholder data environments vulnerable to attack. This trend was a key driver for changes introduced in PCI Data Security Standard version 3.2, which focus on helping organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process.”