Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

10/6/2020
07:00 PM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Verizon Payment Security Report is a Wake-up Call: Time to Refocus on PCI DSS Compliance

Too many organizations fail to enact the baseline payment security controls, according to the Verizon 2020 Payment Security Report.

This week sees the launch of Verizon’s annual Payment Security Report, which looks at how organizations are maintaining – and not maintaining – compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Of significant concern is that the report highlights a continued, marked decline in compliance sustainability since 2016. Illustrating these findings is a late September news headline detailing how a technology provider failed to adequately protect bank account information.

Time and again, consumers have been let down by poor security controls. Why are organizations still failing to protect customer information?

Blackbaud ransomware security incident not over yet

Blackbaud is a global cloud software and services company founded nearly 40 years ago. Using the slogan, "powering social good," it is headquartered in Charleston, South Carolina.

Earlier in 2020, it was announced that education institutions and charities are among an unknonwn number of organizations affected by a successful ransomware attack on Blackbaud. Blackbaud paid off the attackers, but it remains unclear if the cybercriminals kept their side of the bargain.

The potential exposure of personally identifiable information (PII) was already known from the first reports of the ransomware attack. Blackbaud subsequently noted that prior to locking the cybercriminals out of its systems, the attackers removed a copy of a subset of data from its self-hosted (private cloud) environment.

Bank account information was not previously thought to have been exposed in the security incident.

However, at the end of September, Blackbaud submitted an 8-K filing to the U.S. Securities and Exchange Commission (SEC), stating that the attack had been more invasive than it initially thought.

“After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords,” according to the company's 8-K statement.

Blackbaud states on its website that it “acknowledges our responsibility for compliance with PCI requirements and protection of any cardholder data that we, as a service provider, possess, store, process, or transmit on behalf of the customer.”

Verizon Payment Security Report identifies many shortcomings

The Verizon 2020 Payment Security Report, released on Oct. 6, 2020, outlines the data security and compliance challenges facing organizations charged with securing payment processes. In particular, the report focuses on the state of PCI DSS version 3.2.1 compliance sustainability to date, as well as looks forward at what organizations can do to improve payment security.

This year’s report notes that compliance sustainability continues to fall, year on year, dating as far back as 2016. Looking at data from 2019, only 27.9% of organizations achieved 100% compliance during interim compliance validation. Overall, the report comments that lack of long-term security thinking – organizations that focus on applying quick fixes instead of creating and executing a larger strategy – is severely impacting sustained PCI DSS compliance.

Omdia research very much resonates with the findings of the Verizon report. It is a wake-up call to organizations that strong leadership is required to address failures, adequately manage payment security, and comply with PCI DSS security controls.

The alignment of security strategy with organizational strategy is essential for organizations to maintain compliance, whether that is with PCI DSS, the EU General Data Protection Regulation (GDPR), or any other regulation to which organizations are subject. Security is not compliance, and vice versa, but security does have a huge bearing on compliance; security must be aligned with PCI DSS compliance, and other key organizational requirements.

But any successful strategic initiative requires a stakeholder who is charged with seeing it through. Unfortunately, in most organizations rarely is one individual or role responsible for compliance, security, and risk, and this means that the best-laid plans can fall down the cracks.

Omdia concurs with the report’s comment that long-term data security and compliance success will require the combined efforts of multiple roles, including the Chief Information Security Officer, Chief Risk Officer, and Chief Compliance Officer.

Organizations must get a grip on compliance and uphold their customers’ trust, which is all too readily damaged by inadequate actions.

Related Content:

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.