Data breaches that scoop up credit and debit card numbers ought to be relatively rare because the Payment Card Industry has created a Data Security Standard for businesses to follow.
However, if data gathered by Verizon Communications’ inspectors is representative, companies around the world are slacking off.
In its annual report, released Tuesday, Verizon said PCI compliance is decreasing among global businesses, with only 52.4 per cent of organizations maintaining full compliance in 2017, compared to 55.4 per cent in 2016.
“This trend is alarming,” Verizon said in a news release.
“PCI Compliance standards are slipping across global businesses and this simply can’t continue,” Rodolphe Simonetti, Verizon’s global managing director for security consulting, said in a statement. “Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs. We urge businesses to reassess their measurement methodologies for PCI control effectiveness, and to concentrate on managing the sustainability of their data protection.”
Companies in the Asia-Pacific region were more likely in 2017 to achieve full compliance (77.8 per cent), compared to those based in Europe (46.4 per cent) and the Americas (39.7 per cent). These differences can be attributed to the timing of geographical compliance rollout strategies, cultural appreciation of awards/recognition, or the maturity of IT systems, the report adds.
The numbers were compiled from assessments done by qualified security assessors from Verizon’s enterprise security practice who are hired by a company to examine its compliance with the Payment Card Industry Data Security Standard (PCI DSS). The report also used responses from a survey of 44 businesses.
The PCI DSS defines a set of dependent and interdependent controls that require customization to every unique control environment in order to be effective and sustainable, the report points out. “Without a deliberate and systematic method for control design, the strength of each implemented control depends mostly on the enthusiasm of the team or person tasked with its implementation, not the actual measurement of control strength and sustainability requirements.
The standard evaluates aspects of the control environment, such as: policies, user training and awareness, risk assessment and network security. It is not uncommon for organizations to also use PCI DSS with other security standards such as ISO 27001, NIST 800 and the new European General Data Protection Regulation (GDPR) as part of an overall security strategy.
However, the PCI standard doesn’t directly address organizations’ capability for assessing data protection governance, oversight, and
commitment toward competence. “Organizations need to take self-ownership of their responsibility to develop data protection governance capabilities,” the report says.
The problem, the report argues, is that many organizations are overly reliant on external validation assessments performed by Qualified Security Assessors (QSAs) for payment card data protection and compliance. They need to instead develop a program of internal reviews because reliance on an annual review leaves organizations exposed to weaknesses, as controls fail to adapt to changes in the control environment. “Internal reviews indicate a value on measurement, which then become integrated into the mindset of the culture.”
The report says most organizations should optimize their overall control environments and can start by answering questions, such as:
• How well is your control environment defined and
documented to support you in understanding its impact
on control performance, and to help you manage and
improve it?
• Is your control environment supporting or detracting from
achieving sustainability and continuous improvement of
your PCI compliance program?
• How confident are you in understanding the relevance
between your control environment and the performance of
your data protection program?
• Do you have an enterprise-wide internal control
program based on an independent structure with a clear
responsibility matrix, such as the Responsible, Accountable,
Consulted and Informed (RACI) matrix?
“The problems associated with organizations implementing PCI DSS controls “out of the box” are well known,” says the report.
“People assume that controls will work well and do not need refinement. Yet, things often have to go wrong before action is taken to evaluate the control design and implement supporting processes for the controls to operate as intended and be sustainable.
When conducting compliance validation assessment the report says Verizon’s assessors are often surprised at how organizations willingly tolerate routine security control operation and design errors, where management will continue to accept low but persistent levels of control and compliance errors as inevitable and acceptable, even when they are not difficult to avoid.
The 50-page report outlines nine factors of control effectiveness and sustainability Verizon says CISOs can follow to vet out the weakest points in a security system. including how to control risk, resilience and lifecycle management.
In an interview posted on the Payment Card Industry Council’s security standards blog, CTO Troy Leach, said the first priority of businesses following PCI DSS is to determine if opportunities exist to minimize risk. Among the choices: Eliminating unnecessary storage of payment data, upgrading payment terminals to encrypt cardholder data as part of a P2PE (point-to-point encryption) solution, or isolating payment data from the rest of the company’s infrastructure.
“Sometime the simplest answer is not adding more security resources but re-evaluating the method in which payments are accepted,” he said. “Newer technology and payment methodologies may provide additional business and security advantages to reduce the overall effort to maintain security controls.
“For the residual risk that remains, isolating payment data to smaller segments will allow organizations to focus attention for monitoring and other security controls on critical assets.
“Finally, organizations should view most of the PCI DSS requirements as demonstration of process for ongoing security of cardholder data. Not just a point in time.