Lack of PCI DSS compliance putting payment security at risk
Organisations across Asia Pacific are demonstrating stronger payments security compliance compared to other parts of the world, however global trends indicate that payments security compliance has dropped for the second year in a row.
These are some of the findings from Verizon’s 2019 Payment Security Report, which found that barely 37% of organisations worldwide are able to achieve and maintain compliance in this space.
The report analyses organisations’ ability to meet and maintain PCI DSS, which is a standard that helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data.
Geographically, organisations in the Asia-Pacific (APAC) region show a stronger ability to maintain full compliance at 69.6%, compared to 48% in Europe, Middle East and Africa (EMEA) and just 20.4% in the Americas.
“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences,” comments Verizon security consulting global managing director Rodolphe Simonetti.
“We see an increasing number of organisations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data.”
The report analysed compliance across four separate industries: financial services, IT services, retail, and hospitality.
While the finance industry is leading compliance, it is only 2.4% above the global average, the report notes.
Hospitality is named as the sector with the lowest level of compliance.
As a trend measured across six years, the retail sector had the highest level of global payment card breaches by industry (41.2%).
Within the retail industry, mostly online retailers experience compromises, which is reflected in the sector’s low compliance and security maturity.
Simonetti adds there is a close correlation between cyber breaches and the lack of PCI DSS compliance.
“With the latest version of the PCI DSS standard 4.0 launching soon, businesses have an opportunity to turn this trend around by rethinking how they implement and structure their compliance programs.”
The report acknowledges that security is more complicated than a one-size-fits-all script to achieve data protection.
Simonetti says many organisations spend time and money creating data protection compliance programs that look good on paper, but don’t stand up to the scrutiny of a real-world professional security assessment.
“We still see chief information security officers focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes,” Simonetti explains.
Verizon suggests a framework called the 9-5-4 framework. It is designed to help organizations achieve repeatable, consistent and predictable outcomes by offering guidance on how to map, monitor and report the status of sustainability and effectiveness for each of the 9 Factors of Control.
The 9 Factors of Control include: control environment, control design, control risk, control robustness, control resilience, control lifecycle management, performance management, maturity measurement and self-assessment.
This is across each of the essential 4 Lines of Assurance: individual accountability, risk management and compliance teams, internal audit, external audit and regulators.
It is achieved by evaluating the 5 Constraints of Organizational Proficiency: capacity, capability, competence, commitment and communication.