Skip to content

Illustration by Security Management

Payment Problems: Report Documents Struggle to Protect Card Data

Organizations are struggling to build and maintain systems and processes to protect payment card data. For 10 years, Verizon has completed an annual study compiling the extent to which companies comply with the Payment Card Industry Data Security Standard (PCI DSS). The 2020 report, which examines 2019 data, shows full compliance with the standard fell to 27.9 percent—the third straight year of declines. At the high mark in 2016, full compliance stood at 55.4 percent.

Image by Security Management, data from Verizon 2020 Payment Security Report


The 12 requirements listed in the PCI DSS follow; the three in green text have the highest compliance rates in each of the past three years and the three in red text have the lowest compliance in each of the past three years.

R1: Install and maintain a firewall configuration

R2: Do not use vendor-supplied defaults

R3: Protect stored cardholder data

R4: Protect data in transit

R5: Protect against malicious software

R6: Develop and maintain secure systems

R7: Restrict access

R8: Authenticate access

R9: Control physical access

R10: Track and monitor access

R11: Test security systems and processes

R12: Security management

Barely half of companies met Requirement 11: Test security systems and processes, which was the lowest mark in the survey, and, indeed, has been at the bottom of the list for all but three years of the study. Looking more closely at this requirement, the PCI DSS details six controls:

11.1 – Test for the presence of wireless access points

11.2 – Run network vulnerability scans

11.3 – Implement penetration testing

11.4 – Use intrusion-detection systems

11.5 – Deploy change-detection mechanism

11.6 – Documented procedures for monitoring and testing

Of these, companies are finding Control 11.2: Run network vulnerability scans to be the toughest to comply with. The report cites the following reasons why companies struggle with Control 11.2:

  • Waiting to run the vulnerability scan until the month before the passing scan is due, which often leads to the discovery of complex remediation issues that are not possible to resolve within 30 days as required for “Critical” and “High” vulnerabilities.
  • Changes in staff responsibilities and lack of oversight.
  • Antiquated and end-of-life (EOL) technologies still present within the assessed environment that have no further support (including “extended” support) availability.

Taking a quick look at Requirement 9: Control physical access, 81.2 percent of companies achieve full compliance, which is an increase of nearly five percent from the previous year, though the percent of companies in full compliance over the last five years has generally been in the low 80s.

The study breaks out responses by four industries—finance, retail, hospitality, and IT services. Of those, retail lags behind the others, with 62.5 percent achieving full compliance with the physical access control requirement; the other industries range from 82.1 percent to 85.7 precent compliance. Of the 10 control measures for requirement nine, which range from “distinguish between onsite personnel and visitors” and “destroy media when no longer needed,” compliance is pretty even across the board, with a range from 89 percent compliance to 92.9 percent.