Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

10/6/2020
07:00 PM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Verizon Payment Security Report is a Wake-up Call: Time to Refocus on PCI DSS Compliance

Too many organizations fail to enact the baseline payment security controls, according to the Verizon 2020 Payment Security Report.

This week sees the launch of Verizon’s annual Payment Security Report, which looks at how organizations are maintaining – and not maintaining – compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Of significant concern is that the report highlights a continued, marked decline in compliance sustainability since 2016. Illustrating these findings is a late September news headline detailing how a technology provider failed to adequately protect bank account information.

Time and again, consumers have been let down by poor security controls. Why are organizations still failing to protect customer information?

Blackbaud ransomware security incident not over yet

Blackbaud is a global cloud software and services company founded nearly 40 years ago. Using the slogan, "powering social good," it is headquartered in Charleston, South Carolina.

Earlier in 2020, it was announced that education institutions and charities are among an unknonwn number of organizations affected by a successful ransomware attack on Blackbaud. Blackbaud paid off the attackers, but it remains unclear if the cybercriminals kept their side of the bargain.

The potential exposure of personally identifiable information (PII) was already known from the first reports of the ransomware attack. Blackbaud subsequently noted that prior to locking the cybercriminals out of its systems, the attackers removed a copy of a subset of data from its self-hosted (private cloud) environment.

Bank account information was not previously thought to have been exposed in the security incident.

However, at the end of September, Blackbaud submitted an 8-K filing to the U.S. Securities and Exchange Commission (SEC), stating that the attack had been more invasive than it initially thought.

“After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords,” according to the company's 8-K statement.

Blackbaud states on its website that it “acknowledges our responsibility for compliance with PCI requirements and protection of any cardholder data that we, as a service provider, possess, store, process, or transmit on behalf of the customer.”

Verizon Payment Security Report identifies many shortcomings

The Verizon 2020 Payment Security Report, released on Oct. 6, 2020, outlines the data security and compliance challenges facing organizations charged with securing payment processes. In particular, the report focuses on the state of PCI DSS version 3.2.1 compliance sustainability to date, as well as looks forward at what organizations can do to improve payment security.

This year’s report notes that compliance sustainability continues to fall, year on year, dating as far back as 2016. Looking at data from 2019, only 27.9% of organizations achieved 100% compliance during interim compliance validation. Overall, the report comments that lack of long-term security thinking – organizations that focus on applying quick fixes instead of creating and executing a larger strategy – is severely impacting sustained PCI DSS compliance.

Omdia research very much resonates with the findings of the Verizon report. It is a wake-up call to organizations that strong leadership is required to address failures, adequately manage payment security, and comply with PCI DSS security controls.

The alignment of security strategy with organizational strategy is essential for organizations to maintain compliance, whether that is with PCI DSS, the EU General Data Protection Regulation (GDPR), or any other regulation to which organizations are subject. Security is not compliance, and vice versa, but security does have a huge bearing on compliance; security must be aligned with PCI DSS compliance, and other key organizational requirements.

But any successful strategic initiative requires a stakeholder who is charged with seeing it through. Unfortunately, in most organizations rarely is one individual or role responsible for compliance, security, and risk, and this means that the best-laid plans can fall down the cracks.

Omdia concurs with the report’s comment that long-term data security and compliance success will require the combined efforts of multiple roles, including the Chief Information Security Officer, Chief Risk Officer, and Chief Compliance Officer.

Organizations must get a grip on compliance and uphold their customers’ trust, which is all too readily damaged by inadequate actions.

Related Content:

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...