A new study from Verizon shows businesses suffering a heavy price for not being compliant with their payment security.
Verizon on Wednesday released its 2017 Payment Security Report, which analyzes how organizations protect the privacy of customer payment cards. We analyzed the report and came up with three main findings.
1. Businesses ignore payment security compliance measures at their own peril.
Verizon says it has shown a “demonstrable” correlation between businesses that are up-to-date on the Payment Card Industry Data Security Standard (PCI DSS) and businesses that have successfully defended themselves against cyber threats.
“There is a clear link between PCI DSS compliance and an organization’s ability to defend itself against cyberattacks,” said Rodolphe Simonetti, Verizon’s global managing director for security consulting. “[While] it is good to see PCI compliance increasing, the fact remains that over 40 percent of the global organizations we assessed – large and small – are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year — and many much sooner.”
The key finding is that none of the payment card breaches examined involved a fully PCI DSS-compliant company. Verizon studied nearly 300 breaches that occurred from 2010 to 2016. Those breached payment systems scored lower on compliance in 10 out of 12 of the standard’s main requirements. Those requirements include a regularly maintained firewall, passwords that have been updated from the default, antivirus software, network monitoring and policies that restrict access to cardholder data.
2. Compliance is growing.
But Verizon reports an increase in PCI-compliant companies. The number of surveyed organized organizations “at interim validation” was 55 percent this year, an increase from 48 percent in 2015. Only 11 percent passed the compliance measures in 2012.
Which vertical had the highest compliance rate? Perhaps not surprisingly, it was IT services, at 61 percent. Financial services followed at 59 percent, and retail (50 percent) and hospitality (42 percent) trailed even more. The compliance issues vary based on the industry. For example, retail struggles with security testing, and financial services struggles with protecting data in transit.
3. Being “compliant” isn’t all that matters.
Despite the increase in compliant companies, Verizon notes a potentially harmful “control gap.” This means that the number of failed PCI compliance measures divided by the total number of PCI compliance measures has increased over last year.
“The report highlights the challenges organizations have to consistently maintain security controls on an ongoing basis, leaving their cardholder data environments vulnerable to attack,” said Troy Leach, chief technology officer for the PCI Security Standards Council. “This trend was a key driver for changes introduced in PCI Data Security Standard version 3.2., which focus on helping organizations confirm that critical data-security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process.”
The PCI requirement that companies most frequently met (94 percent) was the restricting of user access rights to a “need-to-know” basis. The respondents also scored well (92 percent) in protecting against malicious software. The worst compliance requirement was the testing of security systems and processes; only 72 percent of companies have instituted processes like vulnerability scanning and penetration testing.
Verizon has been rather prolific in publishing lengthy studies that pertain to cybersecurity and data breaches. It rolled out a survey of more than 42,000 data exposure incidents earlier this year and published a fascinating list of data-breach anecdotes.
Peter Merkulov has several tips for channel partners as they help their clients manage the more and more complex compliance landscape.