Verizon’s 2020 Payment Security Report makes for rather sober reading, particularly if you’re a CISO responsible for designing, implementing and executing data security compliance programs.
High-Level Overview
The report found that in 2019, only 27.9% of organizations assessed for the report had maintained PCI DSS compliance during their interim compliance validation. This means that nearly three quarters of companies who were previously assessed as fully compliant with PCI DSS, were not compliant when they had their interim validation.
This is the third consecutive year that compliance rates have fallen, with fewer and fewer organizations demonstrating the ability to keep a minimum baseline of security controls in place. It’s clear from the 140-page report that the Retail, Financial and Hospitality sectors are particularly bad at staying compliant.
Whilst it is still Requirement 11 – Security Testing – that causes companies the most difficulty, Verizon point to a general lack of leadership and strategic support at management level as the major contributing factor.
Were The Results The Same Across The World?
When considering a breakdown by country for companies’ interim compliance validation, the 2020 Payment Security Report found that US organizations are far behind counterparts in other global regions when it comes to being fully compliant at this interim stage following a prior compliance with PCI DSS requirements. In fact, the report identified that just 8.5% of those examined maintained their compliance with the standard in full. EMEA followed at 40.5%, while Asia Pacific leads the way of companies maintaining compliance with an 87% compliance rate.
What is clear is that CISOs are facing a raft of challenges. The report highlights how CISOs are being drawn into responding to reactionary security incidents – firefighting– rather than having the time to take a broad, proactive and planned strategic stance.
RELATED: AUTHOR OF VERIZON 2020 PAYMENT SECURITY REPORT, CISKE VAN OOSTEN, PRESENTS PAYMENTS 2021 CLOSING KEYNOTE
Plus, with workforces transitioning to remote working environments almost overnight, an additional layer of security management was added to organizations’ action lists to ensure any potential vulnerabilities are dealt with.
Does this imply that companies are not investing enough in expanding their security teams at the rate required to support the increasing risks facing organizations today?
Not All Bad
A positive trend identified in the 2020 Payment Security Report states that around 4 out of 10 firms are expected to increase IT budgets – predominantly to replace outdated infrastructure, escalate security concerns or support an increase in employee numbers.
Whilst these investments will naturally have a positive impact on an organization’s security, the report also found that only 7% of these budgets had been earmarked for security specifically.
When you consider the potential risks to a business’s reputation and revenues, should a security breach or hack occur, it seems somewhat disproportionate.
With technology evolving, digital transformation occurring across many industry sectors, and the huge shifts we’ve seen following the onset of the Coronavirus pandemic, CISOs have had to identify the priority security components – those considered ‘most critical’ in this ever-changing landscape – and react accordingly.
The 2020 PAyment Security Report OFfers A Reminder
Ultimately, the 2020 Payment Security Report shows that maintaining once-achieved PCI compliance is a significant challenge. Further, continued compliance has been generally slipping.
Of course, there is still a long way for many organizations to go to achieve full PCI DSS compliance in the first place.
In today’s uncertain world where cybercriminals are increasingly taking advantage of the fallout from the pandemic, the report offers a timely and detailed reminder. There are steps CISOs – and the organizations they serve – need to take to keep payment security front of mind. In taking them, they will benefit from safeguarding reputations and building trust with consumers.