Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Compliance

9/27/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Verizon Study Finds PCI DSS Compliance Falls Worldwide

Verizon's report says that fewer businesses are complying with the PCI DSS payment standard despite the rising threat of security breaches and consumer data theft.

More companies around the world are opening themselves up to cyber attacks and security breaches as compliance with security payment standards fell last year, a troubling trend that officials with Verizon said needs to be addressed.

The carrier's 2018 Payment Security Report, released this week, found that for the first time in six years, the percentage of businesses around the world complying with the Payment Card Industry Data Security Standard (PCI DSS) decreased year-over-year, from 55.4% in 2016 to 52.5% last year. The standard is used by businesses that offer card payment facilities to help protect their payments systems from data breaches and customer data theft.

There has been a growing number of high-profile security breaches that have led to the theft of personally identifiable information of customers from such companies as Equifax, Yahoo, Heartland Payment Systems, Under Armour and Target, and such breaches are beginning to cost C-level executives their jobs. Verizon officials said that compliance with PCI DSS has been effective in protecting payment systems against breaches and data theft, which is why the trend away from compliance is concerning. (See Data Breaches Costing More C-Level Executives Their Jobs.)

"PCI Compliance standards are slipping across global businesses and this simply can't continue," Rodolphe Simonetti, global managing director for security consulting at Verizon, said in a statement. "Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs."

Compliance has moved steadily up over the past several years, from 11.1% in 2012 to 48.4% in 2015. According to data collected by Verizon's qualified security assessors (QSAs), that upward trend continued into 2016, but fell off last year.

"The news about the drop in PCI compliance is somewhat alarming," Dan Hubbard, chief product officer at cloud security solutions provider Lacework, told Security Now in an email. "One explanation is that companies are increasingly outsourcing their payments and therefore believe they don't believe they need to adhere to PCI. The other is that they are suffering from compliance fatigue which, in the past, has been laden with manual processes and cumbersome technical challenges that stunt innovation."

The compliance fatigue could be alleviated with seamless and automated compliance and insights into their security, Hubbard said.

Compliance differs among business sectors and geographical regions, according to Verizon's report. IT services has the highest compliance among business sectors, at 77.8%. Retail came in at 56.3% and financial services at 47.9%, with hospitality at the lowest level at 38.5%. The gap among the various business sectors is important given that companies will leverage their PCI DSS compliance efforts as part of their work to meet the security requirements of data security regulations, such as the European Union's General Data Protection Regulation (GDPR), according to Verizon officials. (See Cisco: GDPR Is About More Than Compliance.)

Ronald Tosto, global manager of PCI advise and assessment services at Verizon, told Security Now that evidence points to point-of-sales (PoS) systems being the weak link when it comes to credit card data.

"In many cases, hospitality and retailers are using point-of-sale systems that have not been certified as a payment application that meets data security standards," Tosto said. "In the United States, there is an inconsistent use of credit cards with chips and PIN numbers to verify card ownership. And while merchants can have their own system to implement point encryption, there has been a low adoption rate for the approach."

On a regional basis, compliance in the Asia-Pacific region comes in at 77.8%, followed by Europe on 46.4% and the Americas on 39.7%. There are multiple reasons for the differences, including the timing of compliance rollout strategies, the cultural appreciation of awards and recognition, and the maturity of IT systems, Verizon officials said.

Nathan Wenzler, chief security strategist at security consulting firm AsTech, told Security Now that the drop in compliance numbers isn't surprising. Wenzler noted that the PCI Council has added new requirements to the PCI DSS Guidelines in recent years that are too complicated or expensive for many small businesses and difficult for enterprise to manage consistently at a large scale. Suspicion that some of the requirements were done to appease software vendors has made some businesses skeptical about the validity of the guidelines, he said.

"This perception change makes things much more difficult for everyone, since the various PCI requirements can absolutely be used as powerful tools to bolster any security program, but without the support of the security practitioners who must advise, manage or even implement all of the controls, you're going to see compliance start to drop across the board," Wenzler said.

Verizon officials in the report noted that PCI DSS compliance doesn't mean 100% secure -- it doesn't address the ability of companies to assess data protection governance, oversight or commitment to competence, for example -- it's an important part of the larger security picture.

"Since 2010, not a single organization that we have assessed following a data breach was fully PCI DSS compliant," they wrote.

Verizon's Tosto notes that "companies must have capacity and capability to make an effective change to their payment ecosystem … Our recommendation is to dedicate resources and a sense of energy with urgency to ensure the trend does not continue on a downward path."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6017
PUBLISHED: 2020-12-03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code ...
CVE-2020-6021
PUBLISHED: 2020-12-03
Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DL...
CVE-2020-6111
PUBLISHED: 2020-12-03
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and...
CVE-2020-5680
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
CVE-2020-5638
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.