It’s becoming clear that complying with Payment Card Industry Data Security Standards (PCI DSS) helps companies fight off cyberattacks, but many companies are still only doing the minimum to protect data while breaches continue to rise, according to the latest Verizon Payment Security Report.
Nearly half of companies Verizon analyzed in its recent survey failed to protect card data on an ongoing basis, though the number of companies in that bucket has declined since the last survey in 2015.
The percentage of organizations Verizon assessed achieving PCI compliance during the survey period for the 2017 report was 55.4%, up from 48.4% in 2015, Verizon said.
“While it's good to see PCI compliance increasing, the fact remains that over 40% of the global organizations we assessed—large and small—are still not meeting PCI DSS compliance standards,” Randolphe Simonetti, Verizon’s global managing director for security consulting, said in a Thursday press release.
Equally troubling is the fact that among companies that pass PCI DSS validation, nearly half fall out of compliance within a year, Simonetti added.
“There is a clear link between PCI DSS compliance and an organization’s ability to defend itself against cyberattacks,” Simonetti said in the release, pointing to the fact that of all payment card data breaches Verizon investigated during the survey period, no organization was fully compliant at the time of the breach.
Nearly half of all retailers, restaurants, hotels and other businesses that take card payments are failing to consistently maintain PCI DSS compliance, according to Verizon.
Retailers struggle with security testing, encrypted data transmissions and authentication, and hospitality companies face extra challenges with security hardening, protecting data in transit and physical security, Verizon said.
Financial services companies face difficulties with security procedures, secure configurations, protecting data in transit and overall risk and vulnerability management, according to the report.
In general, companies are getting sloppier in maintaining basic PCI controls that could protect against breaches, including routine security testing and penetration tests, Verizon said in its report.
Within companies that failed PCI DSS compliance assessments in 2015, an average of 12.4% of basic controls were absent; this figure rose to 13% in 2016, Verizon said.
Though many organizations may lack in-house specialists devoted to securing data, it’s not hard to teach an employee how to manage the lifecycle of the basic controls PCI recommends, according to Simonetti.
“In our experience, internal proficiency can be dramatically improved with lifecycle guidance from external experts,” Simonetti said in the press release.
Verizon’s report underscores the ongoing challenge of battling evolving threats to data security, said Troy Leach, chief technology officer for the PCI Security Standards Council.
“I’m very pleased with incremental improvements we’re seeing, which show the maturation of merchants and service providers, but organizations still need to recognize that data security is an ongoing process, not a moment in time,” Leach said.
Instead of focusing on compliance, companies need to commit to maintaining basic data-security controls throughout the year, Leach said.
“We’re almost in a renaissance of payments right now, and with all the different ways we’re processing payments, it creates new opportunities for risk that organized criminals are going to try to capture and monetize, and we need to stay up with that risk with education and discipline within companies,” Leach said.
Companies are making some great headway in devaluing information by supporting dynamic tokens with methods like EMV, he said.
“The next big priority is dynamic authentication, leveraging multiple factors to randomize the actual transaction, and introducing transaction identification,” Leach said. “In payments we have the ability to change the value of certain data criminals are going after, and teach the next generation of business administrators and leaders how to go about protecting data on an ongoing basis, not just to meet compliance requirements.”
Balancing data security with innovation will continue to be another part of the battle to protect data, Leach said.
“Things are moving at such a fast pace that if you put something in place to protect data and start to codify that, you may inhibit innovation from future," he said. "So we have to keep our minds open to make sure the controls themselves are smart technology that won’t limit us.”