Payment security is getting weaker as 27.9% of global organizations were in full compliance with the Payment Card Industry Data Security Standard (PCI DSS), according to Verizon.
The Verizon Business 2020 Payment Security Report highlights that PCI DSS compliance is down 27.5% from 2016. Full PCI DSS compliance meets 12 requirements. Those requirements are:
- Protect your system with firewalls
- Configure passwords and settings
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Regularly update and patch systems
- Restrict access to cardholder data to business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to workplace and cardholder data
- Implement logging and log management
- Conduct vulnerability scans and penetration tests
- Documentation and risk assessments
Verizon's findings are a bit alarming given that credit cards are a big target for cybercrime. Consider a few recent events:
- My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
- 'Keeper' hacking group behind hacks at 570 online stores
- Ritz London suspects data breach, fraudsters pose as staff in credit card data scam
According to Verizon, companies are struggling to retain qualified chief information security officers and lack long-term planning.
Among the key items in the report:
- 51.9% successfully test security systems and processes as well as unmonitored system access.
- Two-thirds of all businesses track and monitor access to business-critical systems.
- 70.6% of financial institutions maintain essential perimeter security controls.
Here's a look at the five-year trends for full PCI DSS compliance by requirement.