sb-nz logo
Story image

Lack of PCI DSS compliance putting payment security at risk

14 Nov 2019

Organisations across Asia Pacific are demonstrating stronger payments security compliance compared to other parts of the world, however global trends indicate that payments security compliance has dropped for the second year in a row.

These are some of the findings from Verizon’s 2019 Payment Security Report, which found that barely 37% of organisations worldwide are able to achieve and maintain compliance in this space.

The report analyses organisations’ ability to meet and maintain PCI DSS, which is a standard that helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data.

Geographically, organisations in the Asia-Pacific (APAC) region show a stronger ability to maintain full compliance at 69.6%, compared to 48% in Europe, Middle East and Africa (EMEA) and just 20.4% in the Americas.

“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences,” comments Verizon security consulting global managing director Rodolphe Simonetti.

“We see an increasing number of organisations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data.”

The report analysed compliance across four separate industries: financial services, IT services, retail, and hospitality.

While the finance industry is leading compliance, it is only 2.4% above the global average, the report notes.

Hospitality is named as the sector with the lowest level of compliance.

As a trend measured across six years, the retail sector had the highest level of global payment card breaches by industry (41.2%).

Within the retail industry, mostly online retailers experience compromises, which is reflected in the sector’s low compliance and security maturity.

 Simonetti adds there is a close correlation between cyber breaches and the lack of PCI DSS compliance.

“With the latest version of the PCI DSS standard 4.0 launching soon, businesses have an opportunity to turn this trend around by rethinking how they implement and structure their compliance programs.”

The report acknowledges that security is more complicated than a one-size-fits-all script to achieve data protection.

Simonetti says many organisations spend time and money creating data protection compliance programs that look good on paper, but don’t stand up to the scrutiny of a real-world professional security assessment.

“We still see chief information security officers focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes,” Simonetti explains.

Verizon suggests a framework called the 9-5-4 framework. It is designed to help organizations achieve repeatable, consistent and predictable outcomes by offering guidance on how to map, monitor and report the status of sustainability and effectiveness for each of the 9 Factors of Control.

The 9 Factors of Control include: control environment, control design, control risk, control robustness, control resilience, control lifecycle management, performance management, maturity measurement and self-assessment.

This is across each of the essential 4 Lines of Assurance: individual accountability, risk management and compliance teams, internal audit, external audit and regulators.

It is achieved by evaluating the 5 Constraints of Organizational Proficiency: capacity, capability, competence, commitment and communication.

Story image
Investing in digital trust for the post-pandemic business landscape
Business leaders in 2021 need to make sustainable investments to give their organisations a much-needed resilience boost to tackle new disruptions, while still enabling growth.More
Story image
Microsoft, Facebook and PayPal most impersonated brands during phishing attacks
Microsoft has maintained its position as the brand most often found in phishing emails, followed by Facebook and PayPal.More
Story image
ExtraHop reveals methods used by attackers in SUNBURST breach
The network detection and response company says between late March and early October 2020, detections of probable malicious activity increased by approximately 150%, including detections of lateral movement, privilege escalation and command and control beaconing.More
Story image
Cyber-risk to critical infrastructure reaches all-time high — report
New research from Nozomi Networks Labs found that attackers are doubling down on high-value targets and weaponising the software supply chain.More
Story image
Three steps to a security-driven network for a stronger security posture
As the threat landscape continues to evolve and organisations stand to lose so much if they fall victim to an attack, it’s essential to ensure that security measures evolve in line with the network itself.More
Story image
Cyber criminals target education sector as remote learning increases
“Unfortunately, until all students are back in the classroom full-time, educational institutions will continue to be a popular target for criminals."More