Businesses globally continue to put their customers’ cardholder data at risk due to a lack of long term payment security strategy, according to the newly released Verizon Business 2020 Payment Security Report (2020 PSR). With many companies struggling to retain qualified CISOs or security managers, the lack of long-term security thinking is severely impacting sustained compliance within the Payment Card Industry Data Security Standard (PCI DSS).
Payment data remains one of the most sought after and lucrative targets by cybercriminals. Most, nine out of ten data breaches are financially motivated, as shown in Verizon’s Business 2020 Data Breach Investigations Report (2020 DBIR). Within retail alone, 99 percent of security incidents analysed by the 2020 DBIR were focused on acquiring payment data for criminal use.
The 2020 PSR found that on average only 27.9 per cent of global firms maintained full compliance with the PCI DSS, which was developed to help businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data. This is a third successive year that a decline in compliance has occurred with a 27.5 percentage point drop since compliance peaked in 2016 (as seen in the 2017 PSR).
Sampath Sowmyanarayan, President, Global Enterprise, Verizon Business said: “Unfortunately we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable.
“The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information. Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.”
Findings
The 2020 PSR shows that as for security testing only half of organisations (51.9 percent) successfully test security systems and processes as well as unmonitored system access and where about two-thirds of all businesses track and monitor access to business critical systems adequately. Only seven out of ten financial institutions (70.6 percent) maintain essential perimeter security controls.
Maxine Holt, senior research director at the research firm Omdia says: “This report is a welcome wake-up call to organisations that strong leadership is required to address failures to adequately manage payment security. The Verizon Business report aligns well with Omdia’s view that the alignment of security strategy with organisational strategy is essential for organisations to maintain compliance, in this case with PCI DSS 3.2.1 to provide appropriate levels of payment security. It makes clear that long-term data security and compliance combines the responsibilities of a number of roles, including the Chief Information Security Officer, the Chief Risk Officer, and Chief Compliance Officer, which Omdia concurs with.”
