sb-eu logo
Story image

Lack of PCI DSS compliance putting payment security at risk

14 Nov 2019

Organisations across Asia Pacific are demonstrating stronger payments security compliance compared to other parts of the world, however global trends indicate that payments security compliance has dropped for the second year in a row.

These are some of the findings from Verizon’s 2019 Payment Security Report, which found that barely 37% of organisations worldwide are able to achieve and maintain compliance in this space.

The report analyses organisations’ ability to meet and maintain PCI DSS, which is a standard that helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data.

Geographically, organisations in the Asia-Pacific (APAC) region show a stronger ability to maintain full compliance at 69.6%, compared to 48% in Europe, Middle East and Africa (EMEA) and just 20.4% in the Americas.

“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences,” comments Verizon security consulting global managing director Rodolphe Simonetti.

“We see an increasing number of organisations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data.”

The report analysed compliance across four separate industries: financial services, IT services, retail, and hospitality.

While the finance industry is leading compliance, it is only 2.4% above the global average, the report notes.

Hospitality is named as the sector with the lowest level of compliance.

As a trend measured across six years, the retail sector had the highest level of global payment card breaches by industry (41.2%).

Within the retail industry, mostly online retailers experience compromises, which is reflected in the sector’s low compliance and security maturity.

 Simonetti adds there is a close correlation between cyber breaches and the lack of PCI DSS compliance.

“With the latest version of the PCI DSS standard 4.0 launching soon, businesses have an opportunity to turn this trend around by rethinking how they implement and structure their compliance programs.”

The report acknowledges that security is more complicated than a one-size-fits-all script to achieve data protection.

Simonetti says many organisations spend time and money creating data protection compliance programs that look good on paper, but don’t stand up to the scrutiny of a real-world professional security assessment.

“We still see chief information security officers focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes,” Simonetti explains.

Verizon suggests a framework called the 9-5-4 framework. It is designed to help organizations achieve repeatable, consistent and predictable outcomes by offering guidance on how to map, monitor and report the status of sustainability and effectiveness for each of the 9 Factors of Control.

The 9 Factors of Control include: control environment, control design, control risk, control robustness, control resilience, control lifecycle management, performance management, maturity measurement and self-assessment.

This is across each of the essential 4 Lines of Assurance: individual accountability, risk management and compliance teams, internal audit, external audit and regulators.

It is achieved by evaluating the 5 Constraints of Organizational Proficiency: capacity, capability, competence, commitment and communication.

Story image
Cybersecurity trends to look out for: Extortion among the top threats in 2021
Cyber-crime is evolving, driven by emerging trends — 2021 may be the first year when data extortion officially becomes the main threat to businesses worldwide.More
Story image
Acronis empowers resellers and service providers with new cloud-focused #CyberFit Partner Programme
"Managed service providers played a major role in making that happen, and we want to help all of our partners take advantage of those opportunities."More
Story image
Millions of email attacks missed by organisations’ cyber security protection
"While organisations have invested in protection against email threats, many of these attacks slip through gateways, landing in users inboxes."More
Story image
Latest Tenable launch provides holistic approach to vulnerability management
Tenable.ep is reportedly the industry’s first, all-in-one, risk-based vulnerability management platform designed to scale as dynamic compute requirements change.More
Story image
How to stay ahead of the next cyber breach
With so many people working from home, the corresponding surge in app usage, unmanaged devices, web traffic and accessing internal resources is making security a much trickier prospect.More
Story image
Creating a strong culture of security within organisations
CISOs worldwide are inherently aware of how significant investment in cybersecurity strategies and technologies can bolster an organisation’s protection against cyberattacks. However, many overlook the importance of culture when it comes to cybersecurity.More