The Verizon 2015 PCI Compliance Report that was issued this week should serve as a loud and clear wake-up call to everyone in the business community who cares about the payment data security of their customers.  This annual report has become a barometer for payment security compliance and indicator for how organizations are prioritizing customer card data protection. 

The good news is that we are making clear progress in many key areas when it comes to protecting customers’ payment data.  PCI DSS compliance overall is improving, and companies are making data protection more of a priority by investing in their cybersecurity budgets.  The bad news is that ongoing vigilance is low, and data security overall is still inadequate.  This confirms that much work still needs to be done, and 2015 is a pivotal year for making progress in these areas.     


The findings of the Verizon report are sobering – a PriceWaterhouse Coopers survey of 9,700 companies found that they had detected nearly 43 million security incidents in 2014, a compound annual growth rate of 66 percent since 2009.  In other words, companies are under attack today from cyber criminals like never before.  With the attacks coming fast and furious, the stakes involved in protecting payment data have never been higher.  Cybercrime costs the U.S. economy $100 billion a year and costs the global economy $575 billion annually.  According to Verizon, 45 percent of Americans say they or a household member had been notified that their credit card data had possibly been stolen in a data breach and 69 percent of consumers said they would be less inclined to do business with a breached organization.  The business community needs to up its game to answer this enormous challenge.  Companies that fail to heed this warning do so at their own peril. 

Perhaps the most startling statistic from the Verizon report was the fact that of all the payment card breaches their forensics team has investigated over the last 10 years, not a single organization was found to have been PCI DSS compliant at the time of the breach.  Our standards work but only if you follow them.

Too many companies fail to make payment security an all-day, every day priority.  Ongoing security of cardholder data should be the driving objective behind all PCI DSS compliance activities, as opposed to achieving a passing compliance report and then subsequently letting security practices go adrift.  Data security cannot just be an annoying “box you check” once or twice a year.  It has to be a pro-active, all-day, everyday priority.  As the Verizon report puts it, “security is something you do, not something you have.”

This report reinforces what the PCI Security Standards Council has been promoting for years, payment security must be a top priority for the business community.  Companies that fail to make data protection an everyday priority run the risk of losing money, losing business and destroying their reputations.       

The best approach to payment security is establishing a multi-layered approach to security that involves people, processes and technology.  With the Verizon report, the alarm is sounding: Are you ready?

Orfei is general manager of the PCI Security Standards Council.