Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

10/6/2020
07:00 PM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Verizon Payment Security Report is a Wake-up Call: Time to Refocus on PCI DSS Compliance

Too many organizations fail to enact the baseline payment security controls, according to the Verizon 2020 Payment Security Report.

This week sees the launch of Verizon’s annual Payment Security Report, which looks at how organizations are maintaining – and not maintaining – compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Of significant concern is that the report highlights a continued, marked decline in compliance sustainability since 2016. Illustrating these findings is a late September news headline detailing how a technology provider failed to adequately protect bank account information.

Time and again, consumers have been let down by poor security controls. Why are organizations still failing to protect customer information?

Blackbaud ransomware security incident not over yet

Blackbaud is a global cloud software and services company founded nearly 40 years ago. Using the slogan, "powering social good," it is headquartered in Charleston, South Carolina.

Earlier in 2020, it was announced that education institutions and charities are among an unknonwn number of organizations affected by a successful ransomware attack on Blackbaud. Blackbaud paid off the attackers, but it remains unclear if the cybercriminals kept their side of the bargain.

The potential exposure of personally identifiable information (PII) was already known from the first reports of the ransomware attack. Blackbaud subsequently noted that prior to locking the cybercriminals out of its systems, the attackers removed a copy of a subset of data from its self-hosted (private cloud) environment.

Bank account information was not previously thought to have been exposed in the security incident.

However, at the end of September, Blackbaud submitted an 8-K filing to the U.S. Securities and Exchange Commission (SEC), stating that the attack had been more invasive than it initially thought.

“After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords,” according to the company's 8-K statement.

Blackbaud states on its website that it “acknowledges our responsibility for compliance with PCI requirements and protection of any cardholder data that we, as a service provider, possess, store, process, or transmit on behalf of the customer.”

Verizon Payment Security Report identifies many shortcomings

The Verizon 2020 Payment Security Report, released on Oct. 6, 2020, outlines the data security and compliance challenges facing organizations charged with securing payment processes. In particular, the report focuses on the state of PCI DSS version 3.2.1 compliance sustainability to date, as well as looks forward at what organizations can do to improve payment security.

This year’s report notes that compliance sustainability continues to fall, year on year, dating as far back as 2016. Looking at data from 2019, only 27.9% of organizations achieved 100% compliance during interim compliance validation. Overall, the report comments that lack of long-term security thinking – organizations that focus on applying quick fixes instead of creating and executing a larger strategy – is severely impacting sustained PCI DSS compliance.

Omdia research very much resonates with the findings of the Verizon report. It is a wake-up call to organizations that strong leadership is required to address failures, adequately manage payment security, and comply with PCI DSS security controls.

The alignment of security strategy with organizational strategy is essential for organizations to maintain compliance, whether that is with PCI DSS, the EU General Data Protection Regulation (GDPR), or any other regulation to which organizations are subject. Security is not compliance, and vice versa, but security does have a huge bearing on compliance; security must be aligned with PCI DSS compliance, and other key organizational requirements.

But any successful strategic initiative requires a stakeholder who is charged with seeing it through. Unfortunately, in most organizations rarely is one individual or role responsible for compliance, security, and risk, and this means that the best-laid plans can fall down the cracks.

Omdia concurs with the report’s comment that long-term data security and compliance success will require the combined efforts of multiple roles, including the Chief Information Security Officer, Chief Risk Officer, and Chief Compliance Officer.

Organizations must get a grip on compliance and uphold their customers’ trust, which is all too readily damaged by inadequate actions.

Related Content:

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15279
PUBLISHED: 2021-05-18
An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to 6.6.23.320 allows a regular user to learn the scanning exclusion paths. This issue was discovered during external security research.
CVE-2021-3423
PUBLISHED: 2021-05-18
Uncontrolled Search Path Element vulnerability in the openssl component as used in Bitdefender GravityZone Business Security allows an attacker to load a third party DLL to elevate privileges. This issue affects Bitdefender GravityZone Business S...
CVE-2020-18194
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
CVE-2020-18195
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
CVE-2020-18198
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."