Much like Verizon’s Data Breach Investigations Report (DBIR), the Payment Security Report (PSR) is a must-read for security professionals. While it focuses on the PCI DSS standard and reviews compliance related to its 12 requirements, it is much more than a review of how companies are faring regarding PCI compliance.
The compliance statistics are informative and show some alarming trends about how well companies are protecting payment card data. Those trends should cause any CISO to look closely at how their organization is handling data protection – and not just for payment cards. Critical data needs protecting regardless of how it is used. The PCI standard is broadly applicable, and the controls are just as effective for PHI, PII, and other sensitive data.
Key Findings
When the PCI SSC published the PCI DSS in 2004, it was expected that organizations would achieve effective and sustainable compliance within about five years. 15 years later and less than half of organizations maintain programs that prevent PCI DSS security controls from falling out of place within a few months after formal compliance validation.
Data protection and compliance present daily challenges. Security professionals must assure that controls remain in place and perform consistently. Despite good intentions, more than half of organizations are still struggling to design, implement and maintain a sustainable compliance program.
One challenge is that many security professionals believe that by following a script in the correct order will result in effective and sustainable data protection. In the real world, things are messy. Organizations might be spending a lot of time and money creating their Data Protection Compliance Programs (DPCP), but many programs are ineffective and fail to advance beyond a program that looks good on paper. Unfortunately, these DPCPs lack the design, implementation, review process and revisions to become effective and sustainable. Additionally, organizations have inadequate or overly complex strategies, which originate from a lack of proficiency in designing, implementing, monitoring and evaluating a DPCP.
Payment card assets and data are under constant threat, and defenders are not always keeping up. Organizations need more robust DPCPs and navigational tools to manage the sustainability of their data protection. The findings of the report are alarming:
- Many companies are not effectively addressing data risks. 18% of the surveyed organizations don’t have a defined compliance program. Only 20% of the respondents rate their DPCP maturity as advanced and a stunning 0% rate their program maturity as optimized.
- Too few organizations are measuring control and compliance performance. Only 18% measure their PCI DSS controls more frequently than what the standard requires. 32% of the respondents use control effectiveness and operational performance metrics, while only 7% use program impact metrics to measure program performance.
- Organizations in the Asia – Pacific (APAC) region show a stronger ability to maintain full compliance: 69.6% maintained conformance to the security standard. On the other hand, only 20.4% of organizations in the Americas maintained full compliance.
- The finance industry has done a tremendous job with raising the bar on full compliance in comparison to peer industries, but it is only 2.4% above the global average. On the other hand, retail is below the global average in maintaining compliance. For all industries, the report sees a significant decrease in the ability to maintain full compliance.
Figure 2: PCI DSS Compliance per region (left) and by industry (right)
The Retail Industry
Retail has never been more competitive. To succeed, retail organizations must listen to their customers. And more than ever, data and privacy protection matter to retail customers.
According to the 2019 Verizon report “Winning the CX war: The risks and rewards of next-generation CX,” only 7% of customers would continue to use a company if it suffered a data breach, and 69% of customers would avoid a company that has suffered a data breach even if it offers a better deal than competitors. This makes payment card security a crucial differentiator. Consistently maintaining effective security controls to meet the PCI DSS can help retail organizations earn customer trust and win a competitive advantage. But to accomplish this, DPCPs must evolve and mature.
Figure 3: Confirmed Data Breaches per Industry
Four years ago, retail data was most often compromised at the point of sale. Since that time, EMV technology has reduced the value proposition of card-present fraud, and data breaches are primarily occurring through web applications. However, security breaches haven’t been eliminated. Retailers must still be vigilant about protecting card data.
Data on long-term trends show that retail suffered the largest percentage of confirmed data breaches compared to the other industries studied—hospitality, financial services and IT services. Verizon’s data shows that it is mostly the online retailers that experience compromises. According to the Verizon 2019 DBIR, bad actors compromise retail data for financial gain, fun and espionage. This includes personal information that can be stolen from reward programs.
While payment card security is vital, not all businesses are in full compliance. Retail’s compliance rate with PCI DSS this year was similar to IT services, better than hospitality (26.3% compliance) and behind financial services, which led the four industries studied at 39.0% compliance with PCI DSS.
Retail PCI DSS Compliance: The Good, the Bad and the Interesting
The 2019 PSR indicates that retail did a good job of encrypting data in transit (PCI DSS Requirement 4) and protecting against malicious software (Requirement 5). Retail outperformed other industries by getting closer to complying with both requirements. The industry also did fairly well at authenticating access (Requirement 8) to prevent data theft. Retail reported 70.5% full compliance with Requirement 8, ahead of both financial and IT services. Finally, retail demonstrated success in tracking and monitoring access to data (Requirement 10). The industry reported the highest full compliance across the four industries surveyed (81.8%) in meeting this requirement.
Where retail fell short in meeting PCI DSS requirements was in using too many vendor-supplied defaults across in-scope components (Requirement 2). Additionally, retail dropped significantly in complying with the requirement to have good security management (Requirement 12).
Retail scored the lowest of all industries studied in data breach incident preparedness. The major barriers vendors faced were:
- Identifying users and ensuring that they had the right level of privileges (Control 10.2.5)
- Following due diligence when engaging service providers (Control 12.8.3)
- Detecting unauthorized wireless access points (Control 11.1.2)
- Maintaining an incident response (IR) plan (Control 12.10)
Recommendations for Retail Compliance
The Verizon 2019 PSR report offers some useful recommendations for the retail industry to increase their level of PCI DSS compliance.
For starters, retail vendors should change vendor defaults. Replacing default passwords and avoiding other vendor-supplied defaults makes organizations more resistant to attacks. Organizations must make this a priority. The good news is that the skills to replace defaults are likely already in-house.
Second, retail should invest in incident preparedness. Cybersecurity incidents will likely occur. How an organization responds can make all the difference. Identifying potential security incidents, responding quickly and maintaining incident response plans can give retailers an advantage in investigations and damage control.
Figure 4: 9 Factors of Control Effectiveness and Sustainability
Overall, retail vendors should mature their compliance programs. Compliance challenges do not exist in isolation. The Verizon 2019 PSR report has good news for every retail vendor, as it introduces the Verizon 9-5-4 Compliance Program Performance Evaluation Framework. The Framework combines 9 Factors of Control Effectiveness and Sustainability with 5 Constraints of Organizational Proficiency and 4 Lines of Assurance. This integrated framework can be the navigational aid that organizations need to enhance the clarity of their DPCPs. The framework provides a level of visibility and control that helps organizations achieve repeatability, consistency and highly predictable outcomes.
The Verizon 9-5-4 Compliance Program addresses elements to help develop and improve capability and process maturity across an entire DPCP. Continuously maturing your security framework with the Verizon Framework is a proactive and progressive step that will help keep compliance at optimum capacity.
Figure 5: The 5 Constraints of Organizational Proficiency
Conclusion
Building a mature compliance program can allow you to join these industry leaders and gain a competitive advantage by creating the trusted brand that customers seek. Reading the Verizon PSR report is a good start, but the real value comes from implementing the recommendations. This will ensure greater data protection as well as help with audit compliance.
Learn how ITEGRITI can help you be compliant with the PCI DSS requirements or assist in the maturation of your program.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Itegriti, Inc.