‘Compliance with the Payment Card Industry Data Security Standard (PCI DSS) has declined for the third year in a row, with organizations failing in their long-term planning, according to Verizon.’ says Phil Muncaster of Infosecurity Magazine.
Verizon Business President of Global Enterprise, Sampath Sowmyanarayan, argues that many firms still lack resources and commitment from the top to drive long-term compliance strategies.
‘The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information,’ he argues.
‘Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.’
Verizon’s latest 2020 Payment Security Report is based on data gathered by its own PCI DSS qualified security assessors (QSAs) and those of other providers and demonstrates a significant drop in PCI compliance of nearly 9% in 2019, to only 27.9% compliance, and a massive 27.5% drop since PCI compliance peaked in 2016.
On average only 27.9% of global organizations maintained full compliance with the PCI DSS, the third year in a row that compliance has decreased. The report rates control sustainability—the ability to keep controls in place—not the ability to achieve once-per-year compliance.
This should be considered a concerning trend when the declining level of PCI compliance reflects on the ability of organisations to meet the requirements of the standard and sustain effective compliance over time. This demonstrates that organisations are struggling to keep their PCI data security controls in place.
Maxine Holt, Senior Research Director at Omdia, said the report’s findings should serve as a wake-up call to businesses; ‘The alignment of security strategy with organizational strategy is essential for organizations to maintain compliance, in this case with PCI DSS 3.2.1, to provide appropriate levels of payment security,’ she said.
Achieving PCI DSS compliance has been the focus of significant programs of work for many years for many organisations since PCI DSS first emerged in 2005, and many of those program teams will have been disbanded as compliance was achieved, and experience and knowledge of PCI compliance has consequentially evaporated.
The report demonstrates that over the last three years maintaining PCI compliance has been a far more difficult proposition than achieving it and Verizon make a statement in the report that leadership failures endanger payment security, and explores in some detail why sustainable compliance with PCI DSS continues to decline.
The report considers that as the world adapts to digital transformation and other disruptions, such as the coronavirus, control sustainability can only get more complicated—and important.
The report goes on to say that whilst payment security can be well engineered, if it is maintained with a wash-rinse-repeat cycle of validation, an unexpected shift can render its defences useless and that thoughtful, strategic consideration needs to be baked into processes.
A solid compliance program requires agility, adaptation, innovation and higher levels of maturity to withstand future threats, no more prevalent in our lives currently than the global coronavirus pandemic.
Whereas businesses previously invested in security models based on office based working practices, significant and sometimes not-yet-fully-matured changes have had to be made to make current practices compatible with long-term shifts in work-from-home practices; almost certainly permanent for many workers.
Bring-your-own-device (BYOD) and other mobile risks have massively increased since coronavirus drove a considerable percentage of our workforces to work elsewhere but the office.
How adequate modified security controls are now that remote-based work patterns have become our normality will only become clear over time. Data security strategies need to be able to adapt to rebuild data security programs and be applicable to this type of situation in the future.
The Verizon report talks about when big shifts happen, such as digital transformation. The race is on to secure cryptographic systems that will become easily crackable and outdated in 20 years because quantum computing will be millions of times faster than present computer technologies, according to the National Institute of Standards and Technology (NIST).
Such shifts make it inevitable that we will continue to have to alter the way we do things, and digital transformation is likely to impact our data security strategy and program multiple times. Also discussed is how we are facing potential change at warp speed because of a predicted Fourth Industrial Revolution, which will advance the use of robotics, artificial intelligence (AI), the Internet of Things (IoT) and other technologies. significant accompanying risk.
Concurrently, mobile devices are taking a leading role in payment security. In 2016, the use of mobile devices for online payments surpassed in number the same use by computers and this trend is disconcerting for payment security, considering the comparative lack of protections on mobile devices and exacerbated if we fail to integrate mobile into our payment security plans.
The payments and data security industry must remain cognisant of changes in the near future and look out for big uncontrollable shifts whilst maintaining PCI DSS control sustainability; flexibility, adaptability and backup plans are key in case shifts happen unexpectedly.
Verizon notes that threat actors are devising new methods of disruption daily, such as the new mobile banking Trojan EventBot, which can bypass multifactor authentication to steal user data from financial applications, and points to the criticality of building strategic, unbreachable adaptable payment environments founded on reliable, repeatable methodologies.
Verizon goes to great lengths to identify what it calls the top 7 strategic data security management traps, which it sees as key reasons for the downward trend in PCI control sustainability including:
- Inadequate leadership - collective leadership lack the skills, competency, experience and resources to operate effective and sustainable data security compliance management systems.
- Failing to secure strategic support – having a sound security strategy and plan in place is essential to be able to communicate the business model for security to the Board to show how data security and compliance generate value for the organization. This also goes a long way to help secure investment in data security resources to facilitate long-term sustainability.
- Lack of resourcing capabilities – organisations often lack cybersecurity skills, especially security management and strategic planning and execution. Developing organisational maturity in these skills is paramount when developing process and capability maturities needed to achieve a sustainable and effective control environment with predictable outputs.
- Falling short on sound strategic design - effective data security compliance programs start with a sound strategy
- Communication and culture constraints - poor company communication can be a significant, underlying reason for downward trends in compliance; to develop a broader security culture a strong communications plan that clarifies and justifies risk and security that catalyses employees to embrace them and that directly align with business goals and vision to gain the support required to be effective and sustainable long term.
While data security and PCI compliance is a complex problem, it doesn’t need to be complicated and our proven approach to demystifying and simplifying clients’ PCI DSS journey is something that our PCI consultancy practice is very well known for and very proud of.
UKDataSecure can make PCI compliance much easier for you to achieve and maintain; we have over 12 years’ experience of implementing and governing PCI compliance programmes with multiple level 1 merchants in the UK.
Not only can we ensure that you keep your PCI controls in place ins sustainable manner, but amongst other things we provide leadership, strategic support and resources, all identified by Verizon as reasons for failing data security strategies and falling levels of sustainable PCI compliance; we can also deliver appropriate awareness training from the Board down within your organisation.
For further information visit Demystify and Comply with PCI DSS (ukdatasecure.com)
Please contact us to talk about your PCI requirements today https://bit.ly/ukdsbookacall
Sources:
- Verizon 2020 Payment Security Report #verizon2020paymentsecurityreport #verizon
- Infosecurity Magazine #infosecuritymagazine
Comments