sb-au logo
Story image

Lack of PCI DSS compliance putting payment security at risk

14 Nov 2019

Organisations across Asia Pacific are demonstrating stronger payments security compliance compared to other parts of the world, however global trends indicate that payments security compliance has dropped for the second year in a row.

These are some of the findings from Verizon’s 2019 Payment Security Report, which found that barely 37% of organisations worldwide are able to achieve and maintain compliance in this space.

The report analyses organisations’ ability to meet and maintain PCI DSS, which is a standard that helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data.

Geographically, organisations in the Asia-Pacific (APAC) region show a stronger ability to maintain full compliance at 69.6%, compared to 48% in Europe, Middle East and Africa (EMEA) and just 20.4% in the Americas.

“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences,” comments Verizon security consulting global managing director Rodolphe Simonetti.

“We see an increasing number of organisations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data.”

The report analysed compliance across four separate industries: financial services, IT services, retail, and hospitality.

While the finance industry is leading compliance, it is only 2.4% above the global average, the report notes.

Hospitality is named as the sector with the lowest level of compliance.

As a trend measured across six years, the retail sector had the highest level of global payment card breaches by industry (41.2%).

Within the retail industry, mostly online retailers experience compromises, which is reflected in the sector’s low compliance and security maturity.

 Simonetti adds there is a close correlation between cyber breaches and the lack of PCI DSS compliance.

“With the latest version of the PCI DSS standard 4.0 launching soon, businesses have an opportunity to turn this trend around by rethinking how they implement and structure their compliance programs.”

The report acknowledges that security is more complicated than a one-size-fits-all script to achieve data protection.

Simonetti says many organisations spend time and money creating data protection compliance programs that look good on paper, but don’t stand up to the scrutiny of a real-world professional security assessment.

“We still see chief information security officers focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes,” Simonetti explains.

Verizon suggests a framework called the 9-5-4 framework. It is designed to help organizations achieve repeatable, consistent and predictable outcomes by offering guidance on how to map, monitor and report the status of sustainability and effectiveness for each of the 9 Factors of Control.

The 9 Factors of Control include: control environment, control design, control risk, control robustness, control resilience, control lifecycle management, performance management, maturity measurement and self-assessment.

This is across each of the essential 4 Lines of Assurance: individual accountability, risk management and compliance teams, internal audit, external audit and regulators.

It is achieved by evaluating the 5 Constraints of Organizational Proficiency: capacity, capability, competence, commitment and communication.

Story image
Video: 10 Minute IT Jams - Who is CrowdStrike?
Today, Techday speaks to CrowdStrike ANZ channel director Luke Francis about the company's key products and offerings, its upcoming annual security conference, and the infrastructure it leverages in the A/NZ region.More
Story image
Gartner: By 2023, 65% of the world will have personal data covered under modern privacy regulations
“Security and risk management (SRM) leaders need to help their organisation adapt their personal data handling practices without exposing the business to loss."More
Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More
Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Story image
Malware and email scams targeting employees spread rapidly in Q2
"Businesses must stay alert and should employ defense-in-depth tactics and equip themselves with multilayered security mechanisms, including high-sensor spam filters and a VPN connection, which would prevent malicious pages from opening."More
Story image
Kaspersky releases new report on consumer’s approach to digital services
COVID-19 related restrictions and the necessity to stay indoors has influenced the way people approach digital services, making them more aware of how securely both they, and their housemates, use the internet.More