Payments security: A year in review
As ever, breaches weren’t limited to small and medium entities. Facebook was at the heart of yet another scandal in April, as more than 540 million records fell into the wrong hands.
Online shopping giant Amazon joined the worryingly comprehensive list of notable companies who had failed to protect customer data, too, when it was found to have been publishing private user data by accident on its Japanese site, and financier Capital One found itself the victim of a particularly damaging hack, resulting in the loss of 106 million pieces of sensitive user data.
Despite breaches becoming more prevalent and more damaging when they do occur, it seems that many companies are still taking a somewhat relaxed approach to data security; with an emphasis seemingly being placed on ticking the boxes to show good intent, rather than actually taking stringent and vigilant action to keep data safe.
PCI DSS Compliance
In its annual Payment and Security Report, Verizon made some interesting discoveries about how business is responding to the ever-present threat of data breaches, and indeed where it is failing to respond.
Most notably, the report found that numbers of businesses complying with the key Payment Card Industry Data Security Standard (PCI DSS) framework one year after achieving compliance fell between 2017 and 2018 – from 52.5% to just 36.7% – reaching the lowest levels since 2013, and keeping with a trend of decreasing sustainability, despite breaches increasing year-on-year.
Verizon’s report suggests that businesses are spending time and money on compliance programs and initiatives that are often ineffective and fail to stand up to professional scrutiny. Astonishingly, 18% of companies still don’t have a defined compliance program, despite significant increases in data breaches and repercussions for organisations found to be non-compliant.
Perhaps the most telling statistic of all is that of all compliant businesses, 0% rated their program as optimised; showing beyond a reasonable doubt that even with the best will in the world, companies are finding it cumbersome to implement PCI DSS compliance into their workflow.
Despite just 36.7% of businesses actively maintaining PCI DSS programmes, the framework is demonstrably effective when it comes to protecting organisations and customers alike. Verizon’s findings indicated that no company which had suffered a breach was fully compliant with all 12 requirements clearly defined by the standard – and even seemingly fundamental requirements were falling by the wayside.
Investigations (PFIs) found that failure to adequately comply with requirement, which calls on organisations to install and maintain a firewall configuration to protect cardholder data, led to a notable 18.4% of all data breaches and, even when it wasn’t the cause of a breach, some 49% of businesses were non-compliant.
Looking at the sectors specifically discussed in the Payment Security Report, finance remains the best performer when it comes to the PCI DSS, with 39% compliance, while hospitality ranked last with just 26.3%.
European companies were found to be ahead of their US-based peers with 48% compliance compared to just 20% across the Atlantic. Both US and European organisations are paling in comparison of their Asia-Pacific neighbours. However, those compliance rates were found to sit at 69.6%.
It raises the question as to why 80% of US companies are having such problems maintaining compliance? The Verizon report highlights that once companies achieve initial compliance, the constant updating, patching and testing – as per PCI DSS Requirements 6 and 11 – appear to cause problems, resulting in compliance failures. Perhaps, adopting modern cloud strategies could be one answer; removing the need for organisations to rely on older, complex infrastructures or ageing networks that create compliance barriers.
Over the course of the year there have been a number of high-profile data breaches affecting a large number of disparate organisations. The current estimate puts the amount of lost private data at around 10.3 million individual records, these include credit card numbers, addresses (both email and home), banking information and more to boot. The first six months of 2019 alone saw 4.1 billion pieces of private data compromised, but while the companies affected were from all different areas of trade, the causes remain the same.
Of the largest breaches to be reported in 2019, the majority were caused by poor security protocols, hackers and good old fashioned human error, and while companies aren’t in a position to eradicate these risk factors entirely, with careful planning and understanding, they are in a position to mitigate them.
Analysts predict that over the next couple of years, cybercriminals will focus their efforts on the internet of things (IoT) connected smart devices and an increase in the deployment of ransomware is likely to bloom, too. In addition to its Payment and Security Report, Verizon’s Data Breach Investigations Report shows that ransomware incidents accounted for nearly 24% of incidents where malware was used, and their profitability, combined with the relatively low risk involved, means that businesses must expect much more of the same in 2020.
As previously said, it is impossible to protect a business 100% from attacks and other data breaches, but by ensuring compliance with industry standards, businesses can insulate themselves and their customers from harm.
By Geoff Forsyth, chief information security officer (CISO), PCI Pal