Verizon’s payment study shows businesses are more vulnerable to cyber crime

Compliance with payment security standards dropped for the first time in six years, making businesses more vulnerable to cyber crime, according to a new report from Verizon.

Verizon’s 2018 Payment Security Report said that 52.5 percent of businesses surveyed were fully compliant with the Payment Card Industry Data Security Standard (PCI DSS), compared to 55.4 percent in a previous study in 2016. Verizon said the trend change was “alarming.”

Verizon said that compliance with PCI DSS helps protect payment systems from breaches and theft of cardholder data. The telecommunications company said the report highlights the crucial need for ongoing compliance maintenance and measurement.

Above: Verizon is worried about payment standards compliance.

Image Credit: Verizon

Verizon had previously tracked improvements in payment compliance for six consecutive years. The PCI DSS helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data.

Data gathered by Verizon’s PCI DSS qualified security assessors (QSAs) during 2017 demonstrates that PCI compliance is decreasing among global businesses, with only 52.4 percent of organizations maintaining full compliance in 2017, compared to 55.4 percent in 2016.

The report highlights regional differences, demonstrating that companies in the Asia-Pacific region are more likely (77.8 percent) to achieve full compliance than those based in Europe (46.4 percent) and the Americas (39.7 percent). These differences can be attributed to the timing of geographical compliance roll-out strategies, cultural appreciation of awards/recognition, or the maturity of IT systems.

Above: Verizon

Image Credit: Verizon

By business sector, IT services remain on top when it comes to compliance, with over three-quarters of organizations (77.8 percent) achieving full status. Retail (56.3 percent) and financial services (47.9 percent) were significantly ahead of hospitality organizations (38.5 percent), which demonstrated the lowest compliance sustainability.

With businesses often leveraging PCI DSS compliance efforts to meet the security requirements of data protection regulations, such as the European Data Protection Regulation (GDPR), this gap between the various business sectors that deal with electronic payments on a daily basis is significant.

“PCI Compliance standards are slipping across global businesses and this simply can’t continue,” said Rodolphe Simonetti, global managing director for security consulting at Verizon, in a statement. “Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs. We urge businesses to reassess their measurement methodologies for PCI control effectiveness, and to concentrate on managing the sustainability of their data protection.”

Simonetti added, “Our aim is to provide a clear structure and methodology to firstly help compliance personnel, but also equip them to open compliance dialogue with their board members, making the narrative easier to understand. For compliance processes to be effective, they need to be driven from the top, but often progress or challenges are not clearly communicated or understood by executives.”

Verizon measures nine factors of control effectiveness and sustainability for the 12 key requirements of the PCI DSS standard. They range from controlling the environment to controlling risk via security testing, risk management, and other factors.

“Data-sharing and cross-industry collaboration is vital to understand the evolving threat landscape and to progress global payment security. As evident in this report, organizations continue to face challenges maintaining high levels of security and demonstrating ongoing compliance in rapidly changing environments,” said Troy Leach, chief technology officer of the PCI Security Standards Council, in a statement. “Organizations should pay close attention to the findings in the report to remain vigilant for key learnings on how to remain secure. Compliance should never be seen as the end goal for security but rather a measurement for an organization’s continued success in protecting data.”