Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Compliance

9/27/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Verizon Study Finds PCI DSS Compliance Falls Worldwide

Verizon's report says that fewer businesses are complying with the PCI DSS payment standard despite the rising threat of security breaches and consumer data theft.

More companies around the world are opening themselves up to cyber attacks and security breaches as compliance with security payment standards fell last year, a troubling trend that officials with Verizon said needs to be addressed.

The carrier's 2018 Payment Security Report, released this week, found that for the first time in six years, the percentage of businesses around the world complying with the Payment Card Industry Data Security Standard (PCI DSS) decreased year-over-year, from 55.4% in 2016 to 52.5% last year. The standard is used by businesses that offer card payment facilities to help protect their payments systems from data breaches and customer data theft.

There has been a growing number of high-profile security breaches that have led to the theft of personally identifiable information of customers from such companies as Equifax, Yahoo, Heartland Payment Systems, Under Armour and Target, and such breaches are beginning to cost C-level executives their jobs. Verizon officials said that compliance with PCI DSS has been effective in protecting payment systems against breaches and data theft, which is why the trend away from compliance is concerning. (See Data Breaches Costing More C-Level Executives Their Jobs.)

"PCI Compliance standards are slipping across global businesses and this simply can't continue," Rodolphe Simonetti, global managing director for security consulting at Verizon, said in a statement. "Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs."

Compliance has moved steadily up over the past several years, from 11.1% in 2012 to 48.4% in 2015. According to data collected by Verizon's qualified security assessors (QSAs), that upward trend continued into 2016, but fell off last year.

"The news about the drop in PCI compliance is somewhat alarming," Dan Hubbard, chief product officer at cloud security solutions provider Lacework, told Security Now in an email. "One explanation is that companies are increasingly outsourcing their payments and therefore believe they don't believe they need to adhere to PCI. The other is that they are suffering from compliance fatigue which, in the past, has been laden with manual processes and cumbersome technical challenges that stunt innovation."

The compliance fatigue could be alleviated with seamless and automated compliance and insights into their security, Hubbard said.

Compliance differs among business sectors and geographical regions, according to Verizon's report. IT services has the highest compliance among business sectors, at 77.8%. Retail came in at 56.3% and financial services at 47.9%, with hospitality at the lowest level at 38.5%. The gap among the various business sectors is important given that companies will leverage their PCI DSS compliance efforts as part of their work to meet the security requirements of data security regulations, such as the European Union's General Data Protection Regulation (GDPR), according to Verizon officials. (See Cisco: GDPR Is About More Than Compliance.)

Ronald Tosto, global manager of PCI advise and assessment services at Verizon, told Security Now that evidence points to point-of-sales (PoS) systems being the weak link when it comes to credit card data.

"In many cases, hospitality and retailers are using point-of-sale systems that have not been certified as a payment application that meets data security standards," Tosto said. "In the United States, there is an inconsistent use of credit cards with chips and PIN numbers to verify card ownership. And while merchants can have their own system to implement point encryption, there has been a low adoption rate for the approach."

On a regional basis, compliance in the Asia-Pacific region comes in at 77.8%, followed by Europe on 46.4% and the Americas on 39.7%. There are multiple reasons for the differences, including the timing of compliance rollout strategies, the cultural appreciation of awards and recognition, and the maturity of IT systems, Verizon officials said.

Nathan Wenzler, chief security strategist at security consulting firm AsTech, told Security Now that the drop in compliance numbers isn't surprising. Wenzler noted that the PCI Council has added new requirements to the PCI DSS Guidelines in recent years that are too complicated or expensive for many small businesses and difficult for enterprise to manage consistently at a large scale. Suspicion that some of the requirements were done to appease software vendors has made some businesses skeptical about the validity of the guidelines, he said.

"This perception change makes things much more difficult for everyone, since the various PCI requirements can absolutely be used as powerful tools to bolster any security program, but without the support of the security practitioners who must advise, manage or even implement all of the controls, you're going to see compliance start to drop across the board," Wenzler said.

Verizon officials in the report noted that PCI DSS compliance doesn't mean 100% secure -- it doesn't address the ability of companies to assess data protection governance, oversight or commitment to competence, for example -- it's an important part of the larger security picture.

"Since 2010, not a single organization that we have assessed following a data breach was fully PCI DSS compliant," they wrote.

Verizon's Tosto notes that "companies must have capacity and capability to make an effective change to their payment ecosystem … Our recommendation is to dedicate resources and a sense of energy with urgency to ensure the trend does not continue on a downward path."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...