Learning Center Home > Infographic > PCI Compliance Trends

PCI Compliance Trends

Infographic

Findings From SecurityMetrics' PCI Compliance Customers

Merchants often have a difficult time attaining (or maintaining) PCI compliance for a variety of reasons. Many smaller merchants believe it’s too technical or costly, while others simply don’t believe it’s effective and refuse to comply.

With the help of SecurityMetrics, simplify your PCI compliance and provide your business with enhanced data security.

Download the latest guide to PCI compliance

Download Now

2022 PCI Compliance Trends

https://www.securitymetrics.com/content/dam/securitymetrics/PDF-files/2022-PCI-Compliance-Trends-Infographic.pdf

2022 PCI Compliance Trends

PCI Compliance Trends: How Does Your Organization Rank with Implementing PCI DSS Requirements

Top 10 Failing PCI SAQ Questions and Requirements: Top 10 Requirements Merchants Struggle to Meet PCI Compliance Requirements

Top 5 Failed Vulnerabilities: PCI ASV Scans Top Discovered Vulnerabilities

Learn more about PCI Compliance: Download the SecurityMetrics Guide to PCI DSS Compliance

HOW DOES YOUR ORGANIZATION RANK?

2021 SECURITYMETRICS CUSTOMER TRENDS

  • 93.6% of SecurityMetrics customers that started their SAQ have achieved a passing status

  • 20.33 days: Average time to reach PCI DSS compliance

  • 0.98 times: Average number of support incidents before customers became compliant

  • 77.67% percent of SecurityMetrics customers that passed their first scan

  • 8.5 days: Average time from finished first scan to first passing scan

  • 1.57 scans: Average number of times scanned until merchants pass their PCI scan


TOP 10 FAILING SAQ SECTIONS

We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:

  1. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.

  2. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.

  3. Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.

  4. Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.

  5. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.

  6. Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.

  7. Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

  8. Requirement 9.9.2: Periodically inspect device surfaces to detect tampering (e.g., addition of card skimmers to devices), or substitution (e.g., by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

  9. Requirement 12.3.1: Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.

  10. Requirement 12.3.3: Verify that the usage policies define all critical devices and personnel authorized to use the devices.


TOP 5 FAILED VULNERABILITIES

  1. TLS VERSION 1.0 PROTOCOL DETECTION

    Exists if the remote service accepts connections using TLS 1.0 encryption
  1. SSL SELF-SIGNED CERTIFICATE

    Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)
  1. SSL CERTIFICATE WITH WRONG HOSTNAME

    Happens when an SSL certificate for the tested service is for a different host
  1. SSL 64-BIT BLOCK SIZE CIPHER SUITES SUPPORTED (SWEET32)

    Exists if a remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites

  2. SSL MEDIUM STRENGTH CIPHER SUITES SUPPORTED (SWEET32)

    Occurs when a remote host supports the use of SSL ciphers that offer medium strength encryption

Have an Upcoming PCI Audit Deadline?

Request a Quote Here

2021 PCI Compliance Trends

https://www.securitymetrics.com/content/dam/securitymetrics/PDF-files/2021_PCI_Compliance_Trends_Infographic.pdf


2021 PCI Compliance Trends: How Well Are Organizations Addressing PCI Requirements

2021 PCI COMPLIANCE TRENDS

HOW DOES YOUR ORGANIZATION RANK?

2020 SECURITYMETRICS CUSTOMER PCI TRENDS

  • 94% of SecurityMetrics customers that started their SAQ have achieved a passing status

  • 25.75 days: Average time to reach PCI DSS compliance

  • 1.4 time: Average number of support incidents before customers became compliant

  • 71% percent of SecurityMetrics customers that passed their first scan

  • 5.2 days: Average time from finished first scan to first passing scan

  • 1.75 scans: Average number of times scanned until merchants pass their PCI scan


TOP 10 FAILING SAQ SECTIONS

We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:

  1. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.

  2. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.

  3. Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.

  4. Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.

  5. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.

  6. Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.

  7. Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

  8. Requirement 9.9.2: Periodically inspect device surfaces to detect tampering (e.g., addition of card skimmers to devices), or substitution (e.g., by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

  9. Requirement 12.3.1: Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.

  10. Requirement 12.3.3: Verify that the usage policies define all critical devices and personnel authorized to use the devices.


TOP 5 FAILED VULNERABILITIES

  1. TLS VERSION 1.0 PROTOCOL DETECTION: Exists if the remote service accepts connections using TLS 1.0 encryption
  2. SSL CERTIFICATE WITH WRONG HOSTNAME: Happens when an SSL certificate for the tested service is for a different host
  3. SSL CERTIFICATE CANNOT BE TRUSTED: Happens if the SSL certificate service cannot be trusted
  4. SSL 64-BIT BLOCK SIZE CIPHER SUITES SUPPORTED (SWEET32): Exists if a remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites
  5. SSL SELF-SIGNED CERTIFICATE: Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)


Download the latest guide to PCI compliance

Download Now


2020 PCI Compliance Trends

info.securitymetrics.com/2020-pci-compliance-trends

2020 PCI Compliance Trends

HOW DOES YOUR ORGANIZATION RANK?

2019 SECURITYMETRICS CUSTOMER TRENDS

  • 94% of SecurityMetrics customers that started their SAQ have achieved a passing status
  • 17 days: Average time to reach PCI DSS compliance
  • 0.9 times: Average number of support incidents before customers became compliant
  • Percentage of SecurityMetrics customers that passed their first scan: 74%
  • Average time from finished first scan to first passing scan: 5.5 days
  • Average number of times scanned until merchants pass their PCI scan: 1.57 scans


TOP 10 FAILING SAQ SECTIONS

We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:

  1. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.

  2. Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.

  3. Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.

  4. Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.

  5. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.

  6. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.

  7. Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

  8. Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.

  9. Requirement 12.3.1: Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.

  10. Requirement 12.3.3: Verify that the usage policies define all critical devices and personnel authorized to use the devices.


TOP 5 FAILED VULNERABILITIES 

  1. TLS VERSION 1.0 PROTOCOL DETECTION: Exists if the remote service accepts connections using TLS 1.0 encryption

  1. SSL 64-BIT BLOCK SIZE CIPHER SUITES SUPPORTED (SWEET32): Exists if a remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites

  1. SSL CERTIFICATE WITH WRONG HOSTNAME: Happens when an SSL certificate for the tested service is for a different host

  1. SSL SELF-SIGNED CERTIFICATE: Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)

  1. SSL RC4 CIPHER SUITES SUPPORTED (BAR MITZVAH): Exists when the RC4 encryption algorithm is used in SSL/TLS transmission

Download the latest guide to PCI compliance

Download Now


2019 PCI Compliance Trends

https://info.securitymetrics.com/infographic-2019-pci-compliance-trends

2019 PCI Compliance Trends

2019 PCI COMPLIANCE TRENDS

HOW DOES YOUR ORGANIZATION RANK?

2018 SECURITYMETRICS CUSTOMER TRENDS

  • 72% Percentage of SecurityMetrics customers that passed their first scan
  • 11 days: Average time from finished first scan to first passing scan
  • 1.61 scans: Average number of times scanned until merchants pass their PCI scan
  • 32 days: Average time to reach PCI DSS compliance
  • 1.28 times: Average number of support incidents before customers became compliant
  • 85% of SecurityMetrics customers that started their SAQ have achieved a passing status


TOP 10 FAILING SAQ SECTIONS

We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:

  1. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
  2. Requirement 12.6.1: Educate personnel upon hire and at least annually.
  3. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
  4. Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
  5. Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
  6. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
  7. Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
  8. Requirement 9.9.2: Periodically inspect device surfaces to detect tampering (e.g., addition of card skimmers to devices), or substitution (e.g., by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
  9. Requirement 12.3.5: [Verify that the usage policies define] acceptable uses of the technology.
  10. Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.


TOP 5 FAILED VULNERABILITIES 

  1. TLS version 1.0 protocol detection: Exists if the remote service accepts connections using TLS 1.0 encryption
  2. SSL 64-bit block size cipher suites suppoerted (SWEET32): Exists if a remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites
  3. SSL certification with wrong hostname: Happens when an SSL certificate for the tested service is for a different host
  4. SSL medium strength cipher suites supported: Occurs when a remote host supports the use of SSL ciphers that offer medium strength encryption
  5. SSL self-signed certificate: Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)

Download the latest guide to PCI compliance

Download Now

2018 PCI Compliance Trends

https://info.securitymetrics.com/2018-pci-compliance-trends

2018 PCI Compliance Trends


2017 PCI Compliance Trends

https://info.securitymetrics.com/2017-pci-trends-infographic

2017 PCI Compliance Trends


Download the latest guide to PCI compliance

Download Now



2016 PCI Compliance Trends

https://www.securitymetrics.com/static/resources/orange/Current_PCI_Trends.pdf

2016 PCI Compliance Trends


Have an Upcoming PCI Audit Deadline?

Request a Quote Here