Payment security backslides for second straight year, says Verizon

Payment security has deteriorated for the second consecutive year in the Americas as only 1 in 5 companies meet compliance requirements, according to a Verizon report.

Verizon's 2019 Payment Security Report found that full compliance with the Payment Card Industry Data Security Standard (PCI DSS) fell to 36.7% globally, down from 52.5% in 2018. PCI DSS was launched by Visa in 2004 and organizations were supposed to be in compliance within 5 years. Compliance improved gradually from 2010 to 2016 and then started to decline. The lack of payment compliance raises a lot of security issues. 

Nation state actors, affiliates behind increasing amount of data breaches | Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you | The Windows 10 security guide: How to safeguard your business

Companies in Asia-Pacific have the highest compliance with PCI DSS standards with 69.6% at full compliance with 48% in Europe, Middle East and Africa. In the Americas just 20.4% have full PCI DSS compliance.

Part of the issue is that complying with PCI DSS is largely about showing controls on paper for data and privacy protection, but compliance programs often fall over under real-world threats.

Verizon's report is based on 302 PCI DSS engagements with global companies.

Ciske van Oosten,  Senior Manager Global Intelligence division at the Security Assurance Consulting practice of Verizon, said:

It has been 15 years since PCI DSS passed, but it is a private sector effort. If you don't comply with PCI DSS there are penalties that can be applied to service providers and merchants. Enforcement is business to business and in contracts. If you are not compliant and have a breach you will be held liable. The ultimate consequence is being disconnected from the financial networks.

Verizon is pitching its framework on assessing PCI DSS readiness as well as getting compliance validation before an official assessment. van Oosten said that PCI DSS compliance doesn't guarantee an organization won't suffer a data breach, but it's less likely to take a hit.

Overall, the PCI DSS standard has 12 requirements grouped into six areas such as building and maintaining a secure network and systems, protecting cardholder data, maintain a vulnerability management program, implementing strong control measures, monitoring and testing networks regularly and maintaining and information security policy.

As far as the requirements go, most firms in Verizon's report have maintained firewalls, change vendor defaults, protect cardholder data, protect against malicious software, restrict access and encrypt data, but fall over with security management and testing systems and processes.

Specifically, requirement 11--test security systems and processing--is the biggest problem for organizations. According to the report:

Requirement 11 continues to lag at the back of the pack when it comes to full compliance. With the lowest compliance ranking for the 2017–2019 PSR reporting years, this requirement also has the widest control gap, meaning not only are organizations not maintaining compliance, they are also failing on a larger number of controls.

Because this requirement can help organizations identify weaknesses that could be exploited and result in a breach, it's of concern that compliance is not improving.