Payment companies need to act now to make sure their data is protected, to thwart and expanding crime threat and to stay compliant with regulations in most markets.
GDPR is one major regulation on the horizon. In May, the European Commission will introduce an entirely new set of standardized laws designed to unify data protection across the European Union, and they will also apply to any business that operates within those confines.
Due to the significant financial penalties that will be imposed in the event of a breach, noncompliance will not be an option for the vast majority of businesses. Ensuring you are ready for May 2018 must be a priority — not least because this legislation marks the beginning of much further reaching conversations about the introduction of a global privacy standard built with GDPR as its benchmark. It’s now a matter of when, not if.
PCI CDE will be under increasing threat of attack. The cardholder data environment (CDE) is a prime target for hackers and would-be thieves — in the retail sector almost all of the data breaches involve some kind of compromise occurring in the CDE. As with all threats, this is a trend we only expect to increase, however the rising threat can be mitigated with the introduction of controls required to secure the CDE by PCI DSS. Businesses may not be able to reduce the number of incoming threats but, by ensuring PCI DSS compliance, they can certainly reduce the success rate.
Despite investment in security and compliance, there are no signs that high-profile hacks are slowing down. In fact, the likelihood is increasing at pace, according to data release by Verizon in 2017. The company noted a 50% increase in attacks year on year, and with even global brand names falling victim in 2017, no business that values its reputation should be taking their eye off the security ball.
And, while 2017 was heralded as the year of ransomware with high-profile attacks such as WannaCry grabbing headlines and causing chaos, 2018 looks set to continue the trend. The particularly bad news is that an increase in ransomware-as-a-service (RaaS) will open up the potential for even non-technical hackers to target poorly secured organizations and consumers. Businesses now more than ever will need to step up their protections if they don’t want to fall foul of the bad guys.
To date, the vast majority of security investment has focused firmly on keeping the bad guys out. It only ever works to a certain extent. This is because there is much greater impetus for the hackers to devise new methodologies to gain access and the security industry at large is only ever playing catch-up.
We expect 2018 to see a step change in the mentality of data protection from trying to keep people out, to simply ensuring there is no data for them to take if (and let’s face it, when) they get in. if businesses can remove the valuable data from their environments it no longer matters if and when there is a breach. De-scoping PCI data will increasingly become the method of choice for businesses augmenting their intrusion prevention positions next year. Who needs locks anyway?
And finally, if businesses needed another reason to de-scope, July 2018 will see another raft of standard changes being introduced. Each of which will require new changes being made to the environment. The simpler route may well be to de-scope the business altogether from PCI, ensuring compliance and reducing the threat from would-be hackers in one step.