Payment security compliance has declined for the second year in a row, with organizations based in the Americas lagging behind worldwide counterparts, Verizon’s 2019 Payment Security Report (2019 PSR) flags.
When Visa Inc. initially launched the PCI DSS in 2004, many assumed that organizations would achieve effective and sustainable compliance within five years. Now, 15 years on, the number of businesses achieving and maintaining compliance has dropped from 52.5 percent (2018 PSR) to a low of just 36.7 percent worldwide. Geographically, organizations in the Asia-Pacific (APAC) region show a stronger ability to maintain full compliance at 69.6 percent, compared to 48 percent in Europe, Middle East and Africa (EMEA) and just 20.4 percent (1 in 5) in the Americas.
PCI DSS helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data, as shown in the Verizon Data Breach Investigations Report series. Compliance is measured on an organization’s ability to meet — and importantly, maintain — the standard.
“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences,” said Rodolphe Simonetti, global managing director for security consulting at Verizon. “We see an increasing number of organizations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data. With the latest version of the PCI DSS standard 4.0 launching soon, businesses have an opportunity to turn this trend around by rethinking how they implement and structure their compliance programs.”
New Verizon framework helps businesses navigate payment security compliance
Data protection and compliance present daily challenges. Many organizations believe they can use a one-size-fits-all script to achieve effective and sustainable data protection. However, in the real world, security is more complicated.
Simonetti continues, “Many organizations spend a lot of time and money creating data protection compliance programs, but often these are ineffective — looking good on paper but not able to withstand the scrutiny of a professional security assessment. We still see Chief Information Security Officers focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes.”
In previous Payment Security Reports, Verizon developed methodology to help organizations manage their Data Protection Compliance Programs (DPCPs). These have now been combined to form the Verizon 9-5-4 Compliance Program Performance Framework — a guideline which helps develop and improve capability and process maturity.
The 9-5-4 Framework is designed to help organizations achieve repeatable, consistent and predictable outcomes by offering guidance on how to map, monitor and report the status of sustainability and effectiveness for each of the 9 Factors of Control Effectiveness and Sustainability — including control environment, control design, control risk, control robustness, control resilience, control lifecycle management, performance management, maturity measurement and self-assessment. This is across each of the essential 4 lines of assurance — individual accountability, risk management and compliance teams, internal audit, external audit and regulators — and is achieved by evaluating the 5 Constraints of Organizational Proficiency — capacity, capability, competence, commitment and communication.
Link reinforced between lack of compliance and breaches
The report also includes data from the Verizon Threat Research Advisory Center (VTRAC), which demonstrates that a compliance program without the proper controls to protect data has a more than 95 percent probability of not being sustainable and is more likely to be a potential target of a cyberattack.
“For years, we have discussed the close correlation between the lack of PCI DSS compliance and cyber breaches,” concludes Simonetti. “In this year’s report, we included even more data from the Verizon VTRAC team, the authors of Verizon’s Data Breach Investigation series, to add more depth to this discussion. Our data shows that we have never investigated a payment card security data breach for a PCI DSS compliant organization. Compliance works!”
About the Verizon 2019 Payment Security Report
This year’s report focuses on performance visibility, control and maturity of DPCPs. It includes results from 302 PCI DSS engagements for a range of organizations, including Fortune 500 and large multinational firms in more than 60 countries. The assessments were conducted by Verizon’s team of PCI Qualified Security Assessors (QSAs), as well as large third-party QSAs, including ControlScan, Foregenix, MegaplanIT and Schellman.
Similar to Verizon’s Data Breach Investigations Report series, the 2019 PSR is based on actual casework with a specific focus on financial services (50.7 percent); IT services (17.5 percent), retail (19.9 percent) and hospitality (10.6 percent). Geographies include the Americas (50.0 percent), APAC (20.0 percent), and EMEA (30.0 percent).