The latest report by Verizon shows that online businesses are less likely to be breached if they’re PCI compliant

The Payment Card Industry Data Security Standard (PCI DSS), is a set of security guidelines applicable to all organizations that accept, store, and process credit card information. The PCI DSS is comprised of 12 key requirements that any website dealing with payment cards must adhere to. The Verizon 2017 Payment Security Report clearly outlines the relation between PCI DSS compliance and data breaches. Interestingly, almost all the victimized companies that Verizon analyzed between 2010 and 2016 were found have violated the PCI DSS at the time of their breach. Even more interestingly, the report indicates that 55.4% remain fully PCI compliant one year after their preliminary assessment. These two are the key findings of the 60-page long Verizon 2017 Payment Security Report – the ‘highlights’ if you may.

pci dss compliance

However, there’s no need to get overly pessimistic by these numbers. There is some good news, too. So, which one would you like to hear first — good news or bad news? Okay, let’s go through some good news first.

The Good News

Compliance on the rise

The report states that 55.4% of companies in 2016 remained fully PCI compliant one year after their preliminary assessment. This number may sound a little on the downside, but it’s not. 55.4% is a massive improvement over the 48.4% recorded in 2015.

Default credentials are a thing of the past

One of the 12 PCI DSS requirements is NOT TO use default vendor-supplied credentials. Going by Verizon’s report, 81.3% of organizations heed this requirement – an encouraging sign indeed.

Finance sector leading by example

If there is any sector that needs to comply with the PCI DSS more than others, it’s the finance sector. Almost 60% of financial services organizations fall within the boundaries of PCI DSS.

Customers getting savvier

Another key finding of the report was the rise in customer awareness. The report states “66% say they would be unlikely to do business with an organization that experienced a breach where their financial and sensitive information was stolen.

Now let’s get to the bad news. The part you should have a close look at.

The Bad News

The love-hate relationship between data breaches and PCI compliance

The report demonstrates a clear link between PCI DSS compliance and data breaches. The organizations that are fully PCI compliant have very low chances of being the victim of a data breach. Speaking of which Rodolphe Simonetti, Verizon’s global managing director for security consulting said, “There is a clear link between PCI DSS compliance and an organization’s ability to defend itself against cyberattacks, [While] it is good to see PCI compliance increasing, the fact remains that over 40 percent of the global organizations we assessed – large and small – are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year — and many much sooner.”

Security testing: Needs improvement

An important part of the 12 requirements is the ‘Security Testing.’ This requires the organizations to test their security systems and processes under some specific guidelines. Unfortunately, only 71.9% of organizations are compliant with this requirement.

Tracking and Monitoring: A bluntly ignored requirement

To protect your online business against potential data breaches, you need to constantly track and monitor access – that’s actually rule 10 of the PCI DSS. 91.9% of the companies assessed after a data breach were found to be disregarding this requirement.

Now that you know the significance that PCI DSS requirements hold, we hope that you will comply with (or at least think about) the requirements. Let’s have a look at the 12 requirements in brief, to give you an idea or two. Here they are:

  • Install and maintain a firewall and router configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need to know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security for all personnel

And if you’re feeling particularly motivated and want to dig in deep, you can learn more about these requirements on Payment Security Council’s official website.

Don’t let your ignorance be your worst nightmare

Employee: “Boss, we need to do something about PCI compliance. We’re not fully compliant and not fully prepared in case a data breach takes place.”
Boss: “Okay. But will it have any impact on our revenues?”

Employee: “It might, but that’s not the point.”

Boss: “Okay, what will you need?”

Employee: “We might need some money for that.”

Boss: “Wait for a second. This thing costs money? Aren’t they just rules & regulations?”

Employee: “No. We’ll need to install and maintain a firewall. We’ll need this, we’ll need that…”

Boss: “Nah. Let’s not do this. After all, who’s gonna target us? We’re not Equifax, right?”

Employee: “But stats show that 60 percent of small companies go out of business within 6 months of a cyber-attack.”

Boss: “How much money you want?”

Concluding Words

Hence, If your website is not PCI compliance, your website is more likely to be breached and if you wish to protect your custoemr, business and e-commerce transactions your website must be a PCI compliant.


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.