Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Compliance

9/27/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Verizon Study Finds PCI DSS Compliance Falls Worldwide

Verizon's report says that fewer businesses are complying with the PCI DSS payment standard despite the rising threat of security breaches and consumer data theft.

More companies around the world are opening themselves up to cyber attacks and security breaches as compliance with security payment standards fell last year, a troubling trend that officials with Verizon said needs to be addressed.

The carrier's 2018 Payment Security Report, released this week, found that for the first time in six years, the percentage of businesses around the world complying with the Payment Card Industry Data Security Standard (PCI DSS) decreased year-over-year, from 55.4% in 2016 to 52.5% last year. The standard is used by businesses that offer card payment facilities to help protect their payments systems from data breaches and customer data theft.

There has been a growing number of high-profile security breaches that have led to the theft of personally identifiable information of customers from such companies as Equifax, Yahoo, Heartland Payment Systems, Under Armour and Target, and such breaches are beginning to cost C-level executives their jobs. Verizon officials said that compliance with PCI DSS has been effective in protecting payment systems against breaches and data theft, which is why the trend away from compliance is concerning. (See Data Breaches Costing More C-Level Executives Their Jobs.)

"PCI Compliance standards are slipping across global businesses and this simply can't continue," Rodolphe Simonetti, global managing director for security consulting at Verizon, said in a statement. "Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs."

Compliance has moved steadily up over the past several years, from 11.1% in 2012 to 48.4% in 2015. According to data collected by Verizon's qualified security assessors (QSAs), that upward trend continued into 2016, but fell off last year.

"The news about the drop in PCI compliance is somewhat alarming," Dan Hubbard, chief product officer at cloud security solutions provider Lacework, told Security Now in an email. "One explanation is that companies are increasingly outsourcing their payments and therefore believe they don't believe they need to adhere to PCI. The other is that they are suffering from compliance fatigue which, in the past, has been laden with manual processes and cumbersome technical challenges that stunt innovation."

The compliance fatigue could be alleviated with seamless and automated compliance and insights into their security, Hubbard said.

Compliance differs among business sectors and geographical regions, according to Verizon's report. IT services has the highest compliance among business sectors, at 77.8%. Retail came in at 56.3% and financial services at 47.9%, with hospitality at the lowest level at 38.5%. The gap among the various business sectors is important given that companies will leverage their PCI DSS compliance efforts as part of their work to meet the security requirements of data security regulations, such as the European Union's General Data Protection Regulation (GDPR), according to Verizon officials. (See Cisco: GDPR Is About More Than Compliance.)

Ronald Tosto, global manager of PCI advise and assessment services at Verizon, told Security Now that evidence points to point-of-sales (PoS) systems being the weak link when it comes to credit card data.

"In many cases, hospitality and retailers are using point-of-sale systems that have not been certified as a payment application that meets data security standards," Tosto said. "In the United States, there is an inconsistent use of credit cards with chips and PIN numbers to verify card ownership. And while merchants can have their own system to implement point encryption, there has been a low adoption rate for the approach."

On a regional basis, compliance in the Asia-Pacific region comes in at 77.8%, followed by Europe on 46.4% and the Americas on 39.7%. There are multiple reasons for the differences, including the timing of compliance rollout strategies, the cultural appreciation of awards and recognition, and the maturity of IT systems, Verizon officials said.

Nathan Wenzler, chief security strategist at security consulting firm AsTech, told Security Now that the drop in compliance numbers isn't surprising. Wenzler noted that the PCI Council has added new requirements to the PCI DSS Guidelines in recent years that are too complicated or expensive for many small businesses and difficult for enterprise to manage consistently at a large scale. Suspicion that some of the requirements were done to appease software vendors has made some businesses skeptical about the validity of the guidelines, he said.

"This perception change makes things much more difficult for everyone, since the various PCI requirements can absolutely be used as powerful tools to bolster any security program, but without the support of the security practitioners who must advise, manage or even implement all of the controls, you're going to see compliance start to drop across the board," Wenzler said.

Verizon officials in the report noted that PCI DSS compliance doesn't mean 100% secure -- it doesn't address the ability of companies to assess data protection governance, oversight or commitment to competence, for example -- it's an important part of the larger security picture.

"Since 2010, not a single organization that we have assessed following a data breach was fully PCI DSS compliant," they wrote.

Verizon's Tosto notes that "companies must have capacity and capability to make an effective change to their payment ecosystem … Our recommendation is to dedicate resources and a sense of energy with urgency to ensure the trend does not continue on a downward path."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16271
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
CVE-2020-16272
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
CVE-2020-8574
PUBLISHED: 2020-08-03
Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.
CVE-2020-8575
PUBLISHED: 2020-08-03
Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).
CVE-2020-12739
PUBLISHED: 2020-08-03
A vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. The vulnerability is due to improper design or implementation of the Ethernet communication modules of the CNC. An attack...