Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


07:00 PM
Maxine Holt
Maxine Holt
Connect Directly
E-Mail vvv

Verizon Payment Security Report is a Wake-up Call: Time to Refocus on PCI DSS Compliance

Too many organizations fail to enact the baseline payment security controls, according to the Verizon 2020 Payment Security Report.

This week sees the launch of Verizon’s annual Payment Security Report, which looks at how organizations are maintaining – and not maintaining – compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Of significant concern is that the report highlights a continued, marked decline in compliance sustainability since 2016. Illustrating these findings is a late September news headline detailing how a technology provider failed to adequately protect bank account information.

Time and again, consumers have been let down by poor security controls. Why are organizations still failing to protect customer information?

Blackbaud ransomware security incident not over yet

Blackbaud is a global cloud software and services company founded nearly 40 years ago. Using the slogan, "powering social good," it is headquartered in Charleston, South Carolina.

Earlier in 2020, it was announced that education institutions and charities are among an unknonwn number of organizations affected by a successful ransomware attack on Blackbaud. Blackbaud paid off the attackers, but it remains unclear if the cybercriminals kept their side of the bargain.

The potential exposure of personally identifiable information (PII) was already known from the first reports of the ransomware attack. Blackbaud subsequently noted that prior to locking the cybercriminals out of its systems, the attackers removed a copy of a subset of data from its self-hosted (private cloud) environment.

Bank account information was not previously thought to have been exposed in the security incident.

However, at the end of September, Blackbaud submitted an 8-K filing to the U.S. Securities and Exchange Commission (SEC), stating that the attack had been more invasive than it initially thought.

“After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords,” according to the company's 8-K statement.

Blackbaud states on its website that it “acknowledges our responsibility for compliance with PCI requirements and protection of any cardholder data that we, as a service provider, possess, store, process, or transmit on behalf of the customer.”

Verizon Payment Security Report identifies many shortcomings

The Verizon 2020 Payment Security Report, released on Oct. 6, 2020, outlines the data security and compliance challenges facing organizations charged with securing payment processes. In particular, the report focuses on the state of PCI DSS version 3.2.1 compliance sustainability to date, as well as looks forward at what organizations can do to improve payment security.

This year’s report notes that compliance sustainability continues to fall, year on year, dating as far back as 2016. Looking at data from 2019, only 27.9% of organizations achieved 100% compliance during interim compliance validation. Overall, the report comments that lack of long-term security thinking – organizations that focus on applying quick fixes instead of creating and executing a larger strategy – is severely impacting sustained PCI DSS compliance.

Omdia research very much resonates with the findings of the Verizon report. It is a wake-up call to organizations that strong leadership is required to address failures, adequately manage payment security, and comply with PCI DSS security controls.

The alignment of security strategy with organizational strategy is essential for organizations to maintain compliance, whether that is with PCI DSS, the EU General Data Protection Regulation (GDPR), or any other regulation to which organizations are subject. Security is not compliance, and vice versa, but security does have a huge bearing on compliance; security must be aligned with PCI DSS compliance, and other key organizational requirements.

But any successful strategic initiative requires a stakeholder who is charged with seeing it through. Unfortunately, in most organizations rarely is one individual or role responsible for compliance, security, and risk, and this means that the best-laid plans can fall down the cracks.

Omdia concurs with the report’s comment that long-term data security and compliance success will require the combined efforts of multiple roles, including the Chief Information Security Officer, Chief Risk Officer, and Chief Compliance Officer.

Organizations must get a grip on compliance and uphold their customers’ trust, which is all too readily damaged by inadequate actions.

Related Content:

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An att...
PUBLISHED: 2021-04-19
Buffer overflow in the tenc_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file, related invalid IV sizes.
PUBLISHED: 2021-04-19
Buffer overflow in the abst_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.
PUBLISHED: 2021-04-19
Memory leak in the stbl_GetSampleInfos function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.
PUBLISHED: 2021-04-19
The HintFile function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.