2019 Payment Security Report

Twenty years ago, in 1999, the major card brands initiated their cardholder data protection programs. The PCI DSS celebrates its 15th birthday this year. An effective and sustainable control environment remains as relevant as ever. Based on the continuing occurrence and severity of data breaches, many organizations appear to still be approaching compliance as a “check box” routine.

Without a sound strategy to measure data protection effectiveness and sustainability, throwing money at data protection does little to prove an organization is getting better at maintaining compliance. This approach may lead to a false sense of security. Many organizations appear stuck in a reactive cyclic pattern, focusing only on meeting baseline compliance requirements.

Compliance programs and organizational capabilities must continue to evolve and mature. Organizations must develop visibility, control and predictability in compliance performance. This structure moves data protection from a state of being reactive to proactive.

We have identified a need across the industry for guidance on how to develop and measure the effectiveness and maturity of data protection. With PCI DSS compliance sustainability in decline worldwide, organizations must understand how to effectively manage their control environments and achieve a level of assurance and predictability for each core data protection and compliance process.

This edition of the PSR is intended to help readers understand these challenges and integrate maturity models as navigational tools throughout compliance lifecycles. Building on our industry-leading insights and recommendations, this report presents a practical, integrated framework for organizations to improve their data protection and compliance statures.