The latest Verizon Payment Security Report (PSR) has just been published and makes for rather sober reading, particularly if you’re a CISO responsible for designing, implementing and executing data security compliance programs.
The report found that in 2019, only 27.9% of organizations assessed for the report had maintained PCI DSS compliance during their interim compliance validation. This means that nearly three-quarters of companies who were previously assessed as fully compliant with PCI DSS, were not compliant when they had their interim validation. This is the third consecutive year that compliance rates have fallen, with fewer and fewer organizations demonstrating the ability to keep a minimum baseline of security controls in place. It’s clear from the 140-page report that the Retail, Financial and Hospitality sectors are particularly bad at staying compliant. Whilst it is still Requirement 11 – Security Testing – that causes companies the most difficulty, Verizon point to a general lack of leadership and strategic support at management level as the major contributing factor.
Were The Results The Same Across The World?
When considering a breakdown by country for companies’ interim compliance validation, the PSR found that US organizations are far behind counterparts in other global regions when it comes to being fully compliant at this interim stage following a prior compliance with PCI DSS requirements. In fact, the PSR identified that just 8.5% of those examined maintained their compliance with the standard in full. EMEA followed at 40.5%, while Asia Pacific leads the way of companies maintaining compliance with an 87% compliance rate.
What is clear is that CISOs are facing a raft of challenges. The PSR highlights how CISOs are being drawn into responding to reactionary security incidents – firefighting– rather than having the time to take a broad, proactive and planned strategic stance.
Plus, with workforces transitioning to remote working environments almost overnight, adding an additional layer of security management to organizations’ action lists, to ensure any potential vulnerabilities are dealt with.
Does this imply that companies are not investing enough in expanding their security teams at the rate required to support the increasing risks facing organizations today?
Not All Bad
A positive trend identified in the PSR states that around 4 out of 10 firms are expected to increase IT budgets – predominantly to replace outdated infrastructure, to escalate security concerns or to support an increase in employee numbers. Whilst these investments will naturally have a positive impact on an organizations ability to be secure, the report also found that only 7% of these budgets had been earmarked for security specifically. When you consider the potential risks to a business’s reputation and revenues, should a security breach or hack occur, it seems somewhat disproportionate.
With technology evolving and digital transformation occurring across many industry sectors, combined with the huge shifts we’ve seen following the onset of the Coronavirus pandemic, CISOs have had to identify the priority security components – those considered ‘most critical’ in this ever-changing landscape – and react accordingly.
Ultimately, the PSR shows that, once achieved, maintaining PCI compliance is a significant challenge and continued compliance has been generally slipping. Of course, there is still a long way for many organizations to go to achieve full PCI DSS compliance in the first place. In today’s uncertain world where cybercriminals are increasingly taking advantage of the fallout from the pandemic, it offers a timely and detailed reminder on the steps CISOs – and the organizations they serve – need to take to keep payment security front of mind, safeguarding reputations and building trust with consumers.