BASKING RIDGE, N.J.—With cybercrime on the rise, payment card security is increasingly a focus for companies and consumers alike. The Payment Card Industry Data Security Standard (PCI DSS) was put in place to help businesses that take card payments protect their payment systems from breaches and theft of cardholder data. A recent report from Verizon that tracks the measurable performance of PCI compliance found that while overall PCI compliance has increased among global businesses, more than half are still failing to maintain compliance from year to year.
About 55 percent of the organizations in Verizon’s 2017 Payment Security Report passed their interim assessment in 2016, an increase from 2015 when about 48 percent of organizations achieved full compliance during their interim validation. About 42 percent of the hospitality industry achieved full compliance during interim validation in 2016. What’s more, the report found a link between organizations’ compliance with the standards and their ability to defend themselves against cyberattacks. Of all payment card data breaches Verizon investigated, no organization was fully compliant at the time of the breach, and showed lower compliance with 10 out of the 12 PCI DSS key requirements.
“There is a clear link between PCI DSS compliance and an organization’s ability to defend itself against cyber attacks,” comments Rodolphe Simonetti, global managing director for security consulting, Verizon. “Whilst it is good to see PCI compliance increasing, the fact remains that over 40 percent of the global organizations we assessed–large and small—are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year—and many much sooner.”
Verizon’s 2017 report also flagged the compliance challenges faced by specific business sectors—for hospitality and travel, those challenges include security hardening, protecting data in transit, and physical security. When looking at the PCI controls that companies would be expected to implement, such as security testing and penetration tests, the report found that many of these basic control measures were absent. In 2015, companies failing their interim assessment had an average of 12.4 percent of controls absent and this has increased to 13 percent in 2016.
Simonetti continues, “It is no longer the question of ‘if’ data must be protected, but ‘how’ to achieve sustainable data protection. Many organizations still look at PCI DSS controls in isolation and don’t appreciate that they are inter-related—the concept of control lifecycle management is far too often absent. This is often the result of a shortage of skilled in-house professionals—however, in our experience, internal proficiency can be dramatically improved with lifecycle guidance from external experts.”
The report offered five key guidelines to assist with control lifecycle management:
- Consolidate for ease of management. Adding more security controls is not always the answer–the PCI DSS Standard already contains numerous interlinked data protection standards and regulations. Organizations should be able to use this to consolidate controls, making them easier to manage overall.
- Invest in developing expertise. Organizations should invest in their people to develop and maintain their knowledge of how to enhance, monitor, and measure the effectiveness of controls in place.
- Apply a balanced approach. Companies need to maintain an internal control environment that is both robust and resilient if they want to avoid controls falling out of compliance.
- Automate everything possible. Applying data protection workflow and automation can be a huge asset in control management–but all automation also needs to be frequently audited.
- Design, operate, and manage the internal control environment. The performance of each control is inter-linked. If there is a problem at the top, this will impact the performance of the controls at the bottom. It is essential to understand this in order to achieve and maintain an effective and sustainable data protection program.
Troy Leach, chief technology officer for the PCI Security Standards Council, comments: “The report highlights the challenges organizations have to consistently maintain security controls on an ongoing basis, leaving their cardholder data environments vulnerable to attack. This trend was a key driver for changes introduced in PCI Data Security Standard version 3.2., which focuses on helping organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process.”