Merchant security is struggling to keep pace with tech

Register now

Merchants increasingly fall short of security standards as digital commerce innovation pressures risk management.

For example, the number of organizations in full compliance with the Payment Card Industry data security standards dropped for the first time in the six years, according to the Verizon 2018 Payment Security Report. Continuing an ongoing trend, merchants are having a difficult time maintaining PCI compliance, even if they pass an annual audit.

Verizon this year reports that 52.5 percent of organizations were fully compliant last year, compared to 55.4 percent in 2016.
The dip in fully compliant organizations is the result of merchants not quickly adjusting to new PCI standards taking hold regarding everything from web security to third-party vendor awareness.

"The problem is not a lack of knowledge, because organizations know what they have to do" to secure data, said Ciske Van Oosten, senior manager of global intelligence and security assurance consulting for Verizon Enterprise Solutions. "It's more about how often they do it (compliance testing), so it's not a technology knowledge issue, it's a proficiency issue."

In viewing all of the underlying factors in data security for the past 14 years, the Verizon report has taken into account various patterns and reasons for security breaches or failure to recognize malware attacks, Van Oosten said.

Organizations have to understand that they cannot look at their data security controls in their own environment, or in isolation, and expect them to work flawlessly outside of that environment, according to Van Oosten "It is equally dangerous to not understand the control design and expecting them to work "right out of the box," Oosten said. "It takes much more tailoring to get the controls to work the way you want and to fit the organization profile."

Also, security controls degrade over time, or even quickly, because of changing technology. Organizations should understand the control's ability to resist any changes to the functions or performance specifications from outside influences. Additionally, security controls should be able to recover quickly from failure and it should be managed throughout its lifecycle for performance and maturity, or continued improvement. Finally, an organization has to establish self-assessment as an ongoing policy as a frequent checkpoint for how the controls are performing or holding up within a network.

Data gathered by Verizon’s PCI-DSS qualified security assessors during 2017 also highlights regional differences, as companies in the Asia-Pacific region are more likely to achieve full compliance at 77.8 percent, compared to those based in Europe at 46.4 percent and the Americas at 39.7 percent.

By business sector, IT services remain on top when it comes to compliance, with more than three-quarters of organizations at 77.8 percent achieving full status. Retail (56.3 percent) and financial services (47.9 percent) were significantly ahead of hospitality organizations (38.5 percent), which demonstrated the lowest compliance sustainability.

Verizon's results are similar to a recent ranking of sectors by analysis and rating firm Security Scorecard, which analyzed 1,444 retail website domains and found the retail industry was at or near the bottom when compared to other industries in cybersecurity readiness.

Nearly 98 percent of domains presented at least one issue indicating PCI non-compliance with a requirement for development and maintenance of secure systems and applications, and 91 percent showed potential non-compliance with the updated version of that requirement calling for timely installation of vendor-supplied security patches.

The retail industry scored second to last in application security, with only the entertainment industry scoring lower. However, the retail industry scored lowest in social engineering vulnerabilities.

"We see what a hacker sees in looking at the digital footprint of all of the domains," said Fouad Khalil, head of compliance at New York City-based SecurityScorecard. Overall, the company has 300,000 domains on its platform for analysis and comparison in 20 different industries.

The industries are scored on application security, vulnerabilities to social engineering ploys and their abilities to make compliance adjustments in near real-time.

SecurityScorecard doesn't publish the number rankings for the industries, in which the legal industry was rated the best in application security and government entities were first in security against social engineering attacks.

Retail was at the bottom of cybersecurity ratings in social engineering, mostly because of the nature of its workforce, Khalil said.

"Retailers hire a lot of new professionals just starting their careers, and their exposure to cyber threats and things they need to be aware of is less than that of a seasoned professional," Khalil added.

That newer workforce is a perfect target for e-mail or text-based phishing scams or phone call scams known as vishing, Khalil said.

"Retail tends to be service-oriented, so they want to service the caller or the sender of an e-mail," he added. "When they see something from what they believe is someone within the organization, or the CEO, they provide the information they ask for."

Hackers also have success when calling an employee directly, making the number appear to be local, and then telling the employee they are the company's support group and need your password to resolve an application issue, Khalil said.

For reprint and licensing requests for this article, click here.