Full security compliance a glaring weakness in payments
If measuring PCI-DSS compliance was like tracking an athletic team's progress, one could say it was in a bad slump.
The Payment Card Industry data security standard has been the card brands' flagship to protect consumer card credentials for the past 15 years. But for it to work, retailers and businesses storing customer payment credentials have to establish and maintain full compliance yearly throughout their networks. But only one in three companies globally achieve that status.
When Visa launched PCI-DSS in 2004, the industry assumption was organizations would achieve sustainable compliance in five years. However, the number of businesses achieving and maintaining compliance dropped from 52.5% in 2017 [the 2018 report] to just 36.7% worldwide in 2018, according to the Verizon 2019 Payment Security Report.
Geographically, 69.6% of organizations in the Asia-Pacific region sustain full compliance, compared to 48% in Europe and only 20.4% in the Americas.
The drop in full PCI compliance is a security concern, but the percentage had steadily moved up since 2012, when it was only 11% at full compliance. It rose steadily over the next four years and was at 55.4% in 2016. A slight dip to 52.5% occurred in 2017 prior to the more dramatic drop in 2018. On a positive note, the "control gap," or the measure by which companies are rated on how far from full compliance they are, remained steady at 7.2%, meaning that smaller percentage had much work to do.
"The data protection problem is not a technology problem or a knowledge problem," said Ciske Van Oosten, senior manager of the global intelligence division at Verizon Enterprise Solution and lead author of the Payment Security Report. "We have not come across any case in the world where an organization that has fully maintained its controls and compliance has suffered a data breach."
From that standpoint, the lack of organizations maintaining full compliance comes down to a question of "the proficiency by which you implement and configure" data security tools and follow PCI guidelines in doing so, Van Oosten said.
In short, many companies feel they are in the clear after establishing initial compliance. It's a long-standing PCI problem and is raising its head again in the form of a decreasing number of companies testing and remaining security compliant year-round.
In compiling the 2019 report, Verizon used data from more than 300 PCI-DSS engagements it had with various organizations, including Fortune 500 companies and multinational firms in more than 60 countries. The casework studies included financial, IT, retail and hospitality services.
For its part, the PCI Council has emphasized retailers should remain so vigilant in monitoring their networks that it would put them in a position to be ahead of the curve in thwarting new security threats, rather than just reacting to new breaches.
It's long been felt throughout the payments industry that PCI compliance, over time, can be looked upon as a complex and costly venture that absorbs a lot of manpower hours. In fact, digital technology consultant FIME recently reported fewer than 18% of organizations storing cardholder data measure data security controls across their entire environment more often than is required through PCI.
PCI's compliance guide requires merchants and service providers undergo a vulnerability scan every 90 days, or once per quarter, and submit compliance documentation at times determined by their acquirer.
The Verizon study pointed out the largest compliance drop occurred with Requirement 6, which calls for maintaining effective vulnerability management, software development and processes that affect change. As such, Requirement 11, the one calling for security testing compliance year after year, remained the poorest performer.
"It's a big drop in compliance," Julie Conroy, research director and fraud expert for Aite Group, said of the Verizon report. "A key challenge is that the payment acceptance ecosystem is so large and so diverse, with new endpoints continually emerging."
Merchants don't put up new storefronts with the goal of becoming PCI compliant, Conroy said. "They just want to sell their stuff and build a profitable business," she added. "We still have a big challenge that far too many merchants think data breaches are something that happens to someone else, not realizing that anyone who handles payment information is in the crosshairs."
To address that problem, Verizon has developed a framework to increase proficiency in maintaining compliance, while also outlining constraints that hold back companies. Those constraints include lack of capacity or resources, capability, competence, commitment and lack of a company culture focused on security.
"We know that logging and monitoring your payment data security is very important, and when looking at industry verticals, we found that IT services have a much better grasp on it, while others like financial, retail and hospitality have substantial weaknesses," Van Oosten said.
Because IT is generally farther along than others, it shows that daily log monitoring is critical, Van Oosten said. "You need to automate, automate and automate as much as possible to be proficient at breach detection and response," he added.
As with any security research of the past decade, the Verizon report backs the notion that companies need to take care of the basic fundamentals of access control and authentication.
"You can go to new and improved techniques, but just taking care of basics is important," Van Oosten said. "Many of the breaches we have would not happen if the company did not rely on just simple passwords [for access and authorization]."
Companies also have to understand security breaches occur all of the time, but they do not mean there will always be a data compromise, Van Oosten noted. "If someone breaks down the door to your house, you are not going to have all of your valuables spread out across the floor to be taken," he said. "It is the same with payment data, as it should be tokenized, encrypted and stored in other places."
A security breach "never needs to result in a data compromise," Van Oosten said.