Verizon recently released their annual state of PCI Compliance Report, which attempts to give a snapshot of current issues in the space as well as trending data over previous years. To summarize the report, the state of PCI Compliance is “not good.” It’s now 2015, more than 10 years after the first release of the standard, and we continue to struggle with compliance rates. In a Computer Weekly article, the GM of the Council says that “wake-up call for every business that cares about payment security.”
Respectfully, I think that the results in this report should be a wake-up call for the Council. These findings combined with lower than expected compliance rates and continued breaches (none of which came from compliant merchants) call the effectiveness of PCI DSS into question. Yes, there are items in the report that should surprise the industry in general. Everyone from payment brand to acquirer to merchant to service provider can find a few items that are relevant and should be addressed sooner rather than later. The bigger story here is that we’re more than 10 years into the PCI DSS journey and merchants still struggle with some of the basic requirements. PCI DSS has grown in complexity tremendously over the years, and the changes from 2.0 to 3.0 are proving to be quite challenging (ask any e-commerce merchant who now has to fill out SAQ A-EP).
I’ve always supported the positive aspects of the standard (and still do). What I hope the framers of the DSS do now is take the opportunity in the current review cycle (which closes soon!) to really re-think the problem they are trying to solve and how they are going about solving it. There are better ways out there. Hopefully we can discover them!