Why is Payment Security Compliance Declining with only 1 in 3 Companies Globally Making the Grade?

Why is Payment Security Compliance Declining with only 1 in 3 Companies Globally Making the Grade?

Gabriel Leperlier

Senior Manager Security Consulting EMEA at Verizon Enterprise Solutions

Views 605

Why is Payment Security Compliance Declining with only 1 in 3 Companies Globally Making the Grade?

25.03.2020 07:00 am

When companies are attacked, personal and financial customer information from payment card data is often the target. The Payment Card Industry Data Security Standard (PCI DSS) was designed to help protect payment data from the point of purchase and beyond. Surprisingly Verizon has seen compliance to this standard decline over recent years.  Verizon’s 2019 Payment Security Report digs deeper to see why this happening and more importantly with the latest version of the PCI DSS standard 4.0 launching soon, how businesses can turn this trend around by rethinking how they implement and structure their compliance programs.

When Visa Inc. initially launched the PCI DSS in 2004, many assumed that organizations would achieve effective and sustainable compliance within five years. Now, 15 years on, the number of businesses achieving and maintaining compliance has dropped from 52.5 percent (2018 PSR) to a low of just 36.7 percent worldwide. Geographically, organizations in the Asia-Pacific (APAC) region show a stronger ability to maintain full compliance at 69.6 percent, compared to 48 percent in Europe, Middle East and Africa (EMEA) and just 20.4 percent (1 in 5) in the Americas.

Putting the business sectors under the microscope

By examining key industry sectors we can see that they not only differ in their compliance ratings but also in how they fall short of full compliance, requiring industry specific re-alignment in order to increase their rankings.

Retail - Four years ago, retail data was most often compromised at the point of sale. Since that time, Europay, Mastercard and Visa (EMV) technology was introduced in the United States and since has appeared to have reduced the value proposition of card-present fraud, and our research shows that data breaches are primarily occurring through web applications. However, security breaches haven’t been entirely eliminated. Retailers must still remain vigilant about protecting card data. The compliance rate within retail organisations ranked at 26.3 percent, in line with IT services. Where they fell short in meeting PCI DSS requirements was in using too many vendor-supplied defaults across in-scope components (Requirement 2) and importantly in complying with the requirement to have good security management (Requirement 12). This was also reflected by retail scoring the lowest of all industries studied in data breach incident preparedness, struggling with identifying users and ensuring that they had the right level of privileges; following due diligence when engaging service providers; detecting unauthorized wireless access points and maintaining an incident response (IR) plan.

Hospitality – While hospitality still had the lowest score for encrypting data in transit (PCI DSS Requirement 4), it was the only industry that improved in this category from the previous year. Hospitality also improved at protecting against malicious software (Requirement 5). It showed the most improvement of any industry in meeting this requirement, increasing its compliance to 84.2 percent. Hospitality was the only sector we studied in the 2019 PSR that improved its ability to control physical access (Requirement 9) from the previous year, increasing its compliance score to 63.2 percent.  While hospitality lagged behind other industries at protecting stored cardholder data (Requirement 3), it also had some unique challenges to overcome, including a lack of mature solutions designed for hospitality environments. Hospitality struggled most with user identification and authentication, reviewing and testing the incident response plan, and training on breach responsibilities.

Finance - The financial services industry is facing a rapidly changing landscape. Customers are demanding new ways to engage and conduct personalized transactions—particularly over mobile devices. Meanwhile, the industry continues to see entrants from other industries offer financial products. In this competitive and highly regulated environment, the ability to protect payment card data can be a crucial differentiator. Customers have high expectations that financial service providers understand the need for payment security better than other kinds of businesses. According to our PSR data the financial services industry did better than any other industry on PCI DSS requirements however they can do a better job of encrypting data in transit (Requirement 4) as well as protecting against malicious software (Requirement 5).

New Verizon framework to help businesses navigate payment security compliance

Many organizations spend a lot of time and money creating data protection compliance programs, but often these are ineffective — looking good on paper but not able to withstand the scrutiny of a professional security assessment. We still see Chief Information Security Officers focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes.

Data protection and compliance present daily challenges. Many organizations believe they can use a one-size-fits-all script to achieve effective and sustainable data protection. However, in the real world, security is more complicated.

In previous Payment Security Reports, we developed methodology to help organizations manage their Data Protection Compliance Programs (DPCPs). These have now been combined to form the Verizon 9-5-4 Compliance Program Performance Framework — a guideline which helps develop and improve capability and process maturity.

The 9-5-4 Framework is designed to help organizations achieve repeatable, consistent and predictable outcomes by offering guidance on how to map, monitor and report the status of sustainability and effectiveness for each of the 9 Factors of Control Effectiveness and Sustainability — including control environment, control design, control risk, control robustness, control resilience, control lifecycle management, performance management, maturity measurement and self-assessment. This is across each of the essential 4 lines of assurance — individual accountability, risk management and compliance teams, internal audit, external audit and regulators — and is achieved by evaluating the 5 Constraints of Organizational Proficiency  — capacity, capability, competence, commitment and communication.

What is clear from our findings in this year’s report is that many organisations still have a way to go to be fully compliant but with the right tools and focus it is possible. Payment security compliance is key.

Data from our Verizon Threat Research Advisory Center (VTRAC) also demonstrates that a compliance program without the proper controls to protect data has a more than 95 percent probability of not being sustainable and is more likely to be a potential target of a cyberattack.

For years, we have discussed the close correlation between the lack of PCI DSS compliance and cyber breaches.  There is a no public record of any organization ever experiencing a confirmed payment card data compromise at the time of being compliant with PCI DSS. Compliance works!

Latest blogs

n/a n/a

Tips on How to Successfully Trade CFDs

A CFD or contract for difference is a financial product that allows a trader to speculate on asset classed without owning a portion of the underlying asset. A CFD trade is not an investment but high-risk speculation that carries the risk of losing Read more »

Patrick McKinney and Joe Fuchs Wolters Kluwer Finance, Risk & Regulatory Reporting

Building an Integrated Data Management System: A Guide for Digital Banks

Digital banks and other FinTechs are emerging as more nimble competitors to established legacy banks. The digital banks that are on their way to becoming fully chartered have the opportunity to setup fully automated processes and systems without Read more »

n/a n/a

How COVID-19 Is Ushering In a New Era of Cashless Technology

  Image source: https://www.pexels.com/photo/person-shopping-online-3944405/   Cashless technology isn't a completely fresh concept. People have been using credit cards for decades, and the market for fintech services has been Read more »

Jean Shin tyntec

Using WhatsApp for 2FA is the Future of Banking

From user authentication and password resets to transaction verification, two-factor authentication (2FA) offers basic but useful protection for consumers. The 2FA process typically sends an SMS sent to the customer with a one-time password (OTP). Read more »

Amir Ghodrati App Annie

The Role of Fintech Apps in Navigating This Period of Financial Insecurity

Economic instability has been ricocheting throughout the stock market in the wake of the global coronavirus pandemic. Its effects have been felt across all industries, with winners and losers’ across different sectors. So, how has fintech Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel