The number of organisations complying with the Payment Card Industry Data Security Standard (PCI DSS) has increased over the last year, but many organisations are still failing to abide by these standards, according to a report published by Verizon.
The Verizon 2017 Payment Security Report examines payment security and compliance with the PCI DSS and examines compliance trends and security control failures from global, regional and industry perspectives. The report's analysis of compliance patterns focusses on industry experiences from the retail, hospitality, IT and financial services sector.
An overview of the PCI DSS and the key issues identified by Verizon is provided below.
The PCI DSS framework
The PCI DSS framework requires businesses handling card payment transactions to ensure that payment card data is kept secure during the course and after the completion of transactions. The PCI DSS was created to increase controls around cardholder data and reduce credit card fraud. Its principles (e.g. retention policies, encryption, physical security etc.) can be applied to all kinds of data, despite its main focus being card payment data. More information on the PCI DSS can be found on the PCI Security Standards Council website.
According to Verizon, more than half (55.4 percent) of businesses it assessed for adherence to the PCI DSS in 2016 were in full compliance at interim validation. This is an increase from 2015 when only 48.4 percent of organisations achieved full compliance during their interim assessment.
While businesses' full compliance with the standard continues to move upwards, nearly half of retailers, restaurants, hotels and other businesses involved in card payments are still failing to adhere to the standard from year to year.
Verizon found that businesses in the hospitality and retail sector lag behind IT service providers and financial services firms in their compliance with the standards. In particular, the IT services industry was found to be the top performing industry with 61.3 percent of organisations having achieved full compliance during interim assessment in 2016. The IT services industry is followed by financial services (59.1 percent), retail (50 percent) and hospitality (42.9 percent).
Security controls: key to compliance sustainability and effectiveness
Verizon also looked at the security controls (such as security of data transmission, authentication of access and security of configurations) an organisation would be expected to have in place in a PCI DSS context and found an increased control gap (i.e. absence of adequate controls). In 2015, organisations failing their interim assessment had an average of 12.4 percent of controls not being in place while this percentage went up to 13 percent in 2016.
The report has identified several control weaknesses existent during PCI DSS compliance assessments, including the lack of security awareness training and of frequent reinforcement of data protection and compliance goals. It also refers to the existence of control system designs that are not able to adjust to changes in the business and/or data protection environment.
Verizon's report offers guidelines to achieve the effectiveness of control systems, including:
- Fitness for purpose: For a control system to be effective, it must be capable of reducing the vulnerabilities it is designed to prevent to an acceptable level.
- Resilience: Control systems should be able to adapt to changing circumstances and retain their efficiency as the environment evolves.
- Putting in place measures to achieve resilience: In a PCI DSS context, procedures will need to be implemented for organisations to be able to respond to changing circumstances. These include taking action to develop and maintain knowledge of risk exposure and putting controls in place to address those risks and comply with cardholder data protection standards (e.g. reliable data protection and compliance reporting).
The report identified (amongst other issues discussed above) a rise in the average percentage of controls which organisations failing their interim assessment did not have in place. Rodolphe Simonetti, global managing director for security consulting at Verizon said:
"It is no longer the question of 'if' data must be protected but 'how' to achieve sustainable data protection. Many organisations still look at PCI DSS controls in isolation and don't appreciate that they are inter-related – the concept of control lifecycle management is far too often absent".