Nine Key Factors to Maintaining Payment Security Compliance

Gabriel Schild

Executive Director Digital Business Transformation at Verizon

Views 460

Nine Key Factors to Maintaining Payment Security Compliance

08.02.2019 10:00 am

Consumers and suppliers both trust brands to effectively secure their payment data, however research shows that compliance with the Payment Card Industry Data Security Standard (PCI DSS), the standard that protects this data is slipping. In order to stop this downward trend, businesses need to reassess their measurement methodologies for PCI control effectiveness, and to concentrate on managing the sustainability of their data protection.

Why is compliance so important?

The Payment Card Industry Data Security Standard (PCI DSS) helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data. PCI DSS compliance has been shown (via the Verizon Data Breach Investigations Report series) to help protect payment systems from both data breaches and theft of cardholder data, highlighting how vital compliance is.

However, after documenting improvements in Payment Card Industry Data Security Standard (PCI DSS) compliance over the past six years (2010 – 2016), Verizon’s 2018 Payment Security Report (PSR) now reveals a worrying downward trend with companies failing compliance assessments and perhaps, more importantly, not maintaining full compliance. 

The facts speak for themselves

Data gathered by our PCI DSS qualified security assessors (QSAs) during 2017 demonstrates that PCI compliance is decreasing amongst global businesses, with only 52.4 percent of organisations maintaining full compliance in 2017, compared to 55.4 percent in 2016. Regional differences are highlighted, demonstrating that companies in the Asia-Pacific region are more likely to achieve full compliance at 77.8 percent, compared to those based in Europe (46.4 percent) and the Americas (39.7 percent).

Often these differences can be attributed to the timing of geographical compliance rollout strategies, cultural appreciation of awards/recognition, or the maturity of IT systems. For example, a PCI project is started in one region and then rolled out across the globe. This means that key learnings are often made and problem areas solved prior to the compliance assessments taking place in other regions.

Every business sector has its own compliance challenges

No two business sectors are the same and this also runs true when it comes to payment security compliance. 

Generally, our research saw IT services remain on top when it came to compliance, with over three-quarters of organizations (77.8 percent) achieving full status. Retail (56.3 percent) and financial services (47.9 percent) were significantly ahead of hospitality organizations (38.5 percent), which demonstrated the lowest compliance sustainability. As we now see businesses often leveraging PCI DSS compliance efforts to meet the security requirements of data protection regulations, such as the European Data Protection Regulation (GDPR), this gap between the various business sectors that deal with electronic payments on a daily basis is significant.

It is important to remember that one size does not fit all when it comes to compliance strategies as different Industries have different risks inherent to their specific activities. For example, whilst businesses need to be compliant to the entire standard to be PCI DSS certified - retail stores need to specifically concentrate on the security of their ‘Payment Terminals’ (PCI DSS Chapter 9 and Chapter 2); eCommerce is totally different and should focus on all Internal and external scans related to the ‘Web server’ (PCI DSS Chapter 11), not to forget Hardening (PCI DSS Chapter 2) and ‘Key Management for Databases’ (PCI DSS Chapter 3) and finally Financial Services need to be good in all aspects of the Standard. Our experts often see this business sector struggle most with Chapter 6 ‘Develop and Maintain secure systems’ and Chapter 2 ‘Do not use vendor supplied defaults’.

Control effectiveness and sustainability are essential

Over the years we have seen that maintaining compliance is often the issue – specialist PCI Compliance project leaders can leave mid project and the awareness of a company’s compliance status leaves with them; in addition, we see many companies floundering without a clear structure to sustain compliance. Or alternatively we see unskilled professionals being tasked with maintaining compliance with the PCI standard but they do not have the basic knowledge to achieve this goal.

As such we have devised nine factors of control effectiveness and sustainability to support the 12 key requirements of the PCI DSS standard, these are as follows:

  • Factor 1: Control Environment: The sustainability and effectiveness of the 12 Key Requirements depends on a healthy Control Environment.
  • Factor 2: Control Design: Proper control operation to meet DSS security control objectives depends on sound Control Design.
  • Factor 3: Control Risk: Without on-going maintenance (security testing, risk management, etc.), controls can degrade over time and eventually break down.  Mitigation of control failures requires integrated management of Control Risk.
  • Factor 4: Control Robustness: Controls operate in dynamic business and ever-changing threat environments.  They must be robust to resist unwanted change to remain functional and perform to specifications (configure standards, access control, system hardening, etc.).
  • Factor 5: Control Resilience: Security controls can potentially still fail, despite adding layers of control for increased robustness, therefore control resilience with proactive discovery and quick recovery from failure is essential for effectiveness and sustainability .
  • Factor 6: Control Lifecycle Management: To achieve all of the above it is necessary to monitor and actively manage security controls throughout each stage of their lifecyclefrom inception to retirement. 
  • Factor 7: Performance Management: Establishing and communicating performance standards to measure the actual performance of the control environment improves control effectiveness, and promotes predictable outcomes of your data protection and compliance activities, allowing for early identification and correction of performance deviations.
  • Factor 8: Maturity Measurement: A control environment should never be stagnant – it must improve continuously. To do so, businesses need a roadmap, a target level of process and capability maturity to track the degree of formality and optimization of processes as indication of how close developing processes are to being complete and capable of continual improvement.
  • Factor 9: Self-Assessment: Achieving all of the above requires in-house proficiency – resource capacity (people, processes and technology), capability (supporting processes), competency (skills, knowledge and experience) and commitment (the will to consistently adhere to compliance requirements) – in short: self-assessment proficiency

Passing PCI compliance validation doesn’t mean that systems are ‘secure’, just that there was no evidence of non-compliance during the assessment period, which is typically just a week or two. On the flip side, security systems are often tested every day. Sustaining compliance with the PCI DSS Standard is not a project, a one-off activity, but an ongoing programme. A programme that needs to adapt to the changing needs of business and new technologies that may be introduced into the business environment.

The key to a compliance processes being effective is the need to be driven from the top. Often this is hindered by the simple fact that general progress or challenges are not clearly communicated or understood by executives. By structuring the compliance process and conversations on our nine factors of control effectiveness and sustainability, executives can obtain a clearer understanding of the process involved and a clearer dialogue can be opened up to avoid unnecessary obstacles.

Latest blogs

Duena Blomstrom N/A

Why A Culture Of “Us Versus Them” Is Deadly

Employees today are by and large unhappy at work. Survey after survey shows mistrust, fear and stagnation reigning supreme. Read more »

Jerry Norton CGI

Extending the bank: Key drivers, technologies and steps

What does it mean to extend the bank? Traditionally, banks have manufactured, distributed and managed all of their own products and services. The concept of extend describes how this traditional model is changing as the value chain becomes unbundled Read more »

David Moss Avi Networks

Maintaining Trust While Navigating through a Multi-Cloud World

Financial services companies are extending data centres with private and public clouds to keep up with demand, but does a multi-cloud environment introduce too much complexity and risk? Read more »

Philippe Martineau OSTP Alliance

Travelers to consumers: Reflecting on this year’s Transport Ticketing Global

With the world’s largest public transport gathering, Transport Ticketing Global, over for another year and our feet firmly in 2019, it seems apt to reflect on the changing global vision set at this year’s event for the future of public transport. Or Read more »

Kyle Ferguson Fraedom

Why banks need to get personal for a piece of the SME pie

The SME market, for the majority of banks, is becoming a key target sector. In the UK, according to the Federation of Small Businesses (FSB), small businesses accounted for 99.3% of all private sector businesses at the start of 2017 and 99.9% were Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App