TRENDING
decreasing among global businesses, with
only 52.4% of organisations maintaining
full compliance in 2017, compared to
55.4% in 2016.
Regional differences are highlighted,
demonstrating that companies in the Asia-
Pacific region are more likely to achieve
full compliance at 77.8%, compared to
those based in Europe (46.4%) and the
Americas (39.7%). These differences can
be attributed to the timing of geographical
compliance rollout strategies, cultural
appreciation of awards/recognition, or the
maturity of IT systems.
By business sector, IT services remain
on top when it comes to compliance,
with over three quarters of organisations
(77.8%) achieving full status. Retail
(56.3%) and financial services
(47.9%) were significantly ahead of
hospitality organisations (38.5%), which
demonstrated the lowest compliance
sustainability. With businesses often
leveraging PCI DSS compliance efforts
to meet the security requirements of
data protection regulations, such as the
European Data Protection Regulation
(GDPR), this gap between the various
business sectors that deal with electronic
payments on a daily basis is significant.
“
“PCI Compliance standards are slipping
across global businesses and this simply
can’t continue,” said Rodolphe Simonetti,
Global Managing Director for Security
Consulting, Verizon.
“Consumers and suppliers alike trust brands
to secure their payment data, so we must act
now to remedy this state of affairs. We urge
businesses to reassess their measurement
methodologies for PCI control effectiveness
and to concentrate on managing the
sustainability of their data protection.”
Control effectiveness and
sustainability are essential
Simonetti continued: “Verizon has been at
the forefront of cardholder data security
since 2003, working closely with the PCI
community to advance PCI DSS compliance.
“Based on our expertise and work in the
field, we have developed nine factors
which help businesses sustain their
compliance levels. Our aim is to provide a
clear structure and methodology to firstly
help compliance personnel, but also equip
them to open compliance dialogue with
their board members, making the narrative
easier to understand. For compliance
processes to be effective, they need to be
driven from the top, but often progress or
challenges are not clearly communicated
or understood by executives.”
Verizon’s nine factors of control effectiveness
and sustainability support the 12 key
requirements of the PCI DSS standard and
are as follows:
• Factor 1: Control Environment: The
sustainability and effectiveness of the 12
Key Requirements depends on a healthy
Control Environment
• Factor 2: Control Design: Proper
control operation to meet DSS security
control objectives depends on sound
Control Design
• Factor 3: Control Risk: Without ongoing
maintenance (security testing, risk
management, etc.), controls can degrade
over time and eventually break down.
Mitigation of control failures requires
integrated management of Control Risk
• Factor 4: Control Robustness: Controls
operate in dynamic business and ever-
changing threat environments. They
must be robust to resist unwanted
change to remain functional and perform
to specifications (configure standards,
access control, system hardening, etc.)
• Factor 5: Control Resilience: Security
controls can potentially still fail, despite
adding layers of control for increased
FOR COMPLIANCE
PROCESSES TO
BE EFFECTIVE,
THEY NEED TO
BE DRIVEN FROM
THE TOP, BUT
OFTEN PROGRESS
OR CHALLENGES
ARE NOT CLEARLY
COMMUNICATED
OR UNDERSTOOD
BY EXECUTIVES.
28
INTELLIGENTCIO
www.intelligentcio.com