sb-eu logo
Story image

Lack of PCI DSS compliance putting payment security at risk

14 Nov 2019

Organisations across Asia Pacific are demonstrating stronger payments security compliance compared to other parts of the world, however global trends indicate that payments security compliance has dropped for the second year in a row.

These are some of the findings from Verizon’s 2019 Payment Security Report, which found that barely 37% of organisations worldwide are able to achieve and maintain compliance in this space.

The report analyses organisations’ ability to meet and maintain PCI DSS, which is a standard that helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data.

Geographically, organisations in the Asia-Pacific (APAC) region show a stronger ability to maintain full compliance at 69.6%, compared to 48% in Europe, Middle East and Africa (EMEA) and just 20.4% in the Americas.

“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences,” comments Verizon security consulting global managing director Rodolphe Simonetti.

“We see an increasing number of organisations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data.”

The report analysed compliance across four separate industries: financial services, IT services, retail, and hospitality.

While the finance industry is leading compliance, it is only 2.4% above the global average, the report notes.

Hospitality is named as the sector with the lowest level of compliance.

As a trend measured across six years, the retail sector had the highest level of global payment card breaches by industry (41.2%).

Within the retail industry, mostly online retailers experience compromises, which is reflected in the sector’s low compliance and security maturity.

 Simonetti adds there is a close correlation between cyber breaches and the lack of PCI DSS compliance.

“With the latest version of the PCI DSS standard 4.0 launching soon, businesses have an opportunity to turn this trend around by rethinking how they implement and structure their compliance programs.”

The report acknowledges that security is more complicated than a one-size-fits-all script to achieve data protection.

Simonetti says many organisations spend time and money creating data protection compliance programs that look good on paper, but don’t stand up to the scrutiny of a real-world professional security assessment.

“We still see chief information security officers focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes,” Simonetti explains.

Verizon suggests a framework called the 9-5-4 framework. It is designed to help organizations achieve repeatable, consistent and predictable outcomes by offering guidance on how to map, monitor and report the status of sustainability and effectiveness for each of the 9 Factors of Control.

The 9 Factors of Control include: control environment, control design, control risk, control robustness, control resilience, control lifecycle management, performance management, maturity measurement and self-assessment.

This is across each of the essential 4 Lines of Assurance: individual accountability, risk management and compliance teams, internal audit, external audit and regulators.

It is achieved by evaluating the 5 Constraints of Organizational Proficiency: capacity, capability, competence, commitment and communication.

Story image
Cyber attacks use LinkedIn to target companies and employees
The attacks, which ESET researchers have called Operation In(ter)ception, took place from September to December 2019 and are notable for using LinkedIn-based spearphishing. More
Story image
Phishing attack exploited Samsung, Adobe servers for Office 365 credentials
The campaign used seemingly credible web domain names to lure its victims and bypass security filters, including from Oxford University, Adobe and Samsung.More
Story image
Why DX is not complete without a transformed security architecture
Secure Access Services Edge (SASE) is the process by which core WAN edge capabilities like SD-WAN, routing, and WAN optimisation at branch locations are integrated with cloud-based security services like secure web gateways, firewall-as-a-service, cloud access security brokers, and more.More
Story image
Australians ignoring cybersecurity policies in favour of productivity
Trend Micro has found that 67% of remote workers have increased their cybersecurity awareness during COVID-19 related lockdowns. However, despite greater awareness people may still engage in risky behaviour, the survey finds.More
Story image
Training is essential to build cybersecurity awareness
More than ever, businesses need to ensure that all their workers have the right skills and training to protect the business from cybercrime.  More
Story image
Illumio launches Zero Trust endpoint protection solution for our digital, remote world
“As organisations were forced to transform overnight to allow for remote work, a host of endpoint security issues that have either been ignored or invisible until now were brought to the forefront."More