25 September 2017
visit www.ncr.com

Firms still struggling with PCI DSS compliance

01 September 2017  |  15951 views  |  8 Card reader

Despite the wave of costly data breaches over the last few years, nearly half of global firms that accept plastic are still failing to meet Payment Cards Industry (PCI) security standards, according to a report from Verizon.

While overall PCI compliance has increased amongst global businesses, just 55.4% of organisations assessed by Verizon passed their interim assessment in 2016, compared to 48.4% in 2015.

This means that nearly half of retailers, restaurants, hotels and other business that take card payments are still failing to maintain compliance from year to year.

And of all payment card data breaches Verizon investigated, no organisation was fully compliant at the time of breach, and showed lower compliance with 10 out of the 12 PCI DSS key requirements.

Rodolphe Simonetti, global managing director, security consulting, Verizon, says: "There is a clear link between PCI DSS compliance and an organization's ability to defend itself against cyberattacks."

"Whilst it is good to see PCI compliance increasing, the fact remains that over 40% of the global organisations we assessed - large and small - are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year — and many much sooner."

According to the report, IT services achieved the highest full compliance of all key industry groups studied. Globally, about 61% of firms in this sector achieved full compliance, compared to 59% of financial services organisations, 50% of retail firms and 43% of hospitality companies.

Verizon uses an FS industry firm as an example of how standards can be missed. The unnamed outfit sought exemption from the Wi-Fi requirements of PCI DSS but was surprised to learn that it did in fact have a wireless network operating in its building - causing it to fail.

"The IT admin had got tired of traipsing from the server room in the basement to the IT department on the third floor, and so had installed a router to access the servers from his desk," says Verizon.

Troy Leach, CTO, PCI Security Standards Council, says: "The report highlights the challenges organisations have to consistently maintain security controls on an ongoing basis, leaving their cardholder data environments vulnerable to attack.

"This trend was a key driver for changes introduced in PCI Data Security Standard version 3.2., which focus on helping organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process."

Comments: (8)

A Finextra member
A Finextra member | 01 September, 2017, 16:45

Hardly surprising. PCI-DSS is the most ludricrous set of standards imposed upon merchants who's sole interest is in wanting to take payments quickly and securely from their customers. The fact that the card schemes have allowed the card details to be compromised and used fraudulently simply demonstrates that cards, as currently used, are no longer fit for purpose. The galling fact is that it's the merchants who are having to invest millions of dollars in shoring up their systems for what is in effect, a lack of leadership and advance planning by the card schemes.

1 thumb up! 1 thumb up! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 01 September, 2017, 19:16

If retailers move their systems and data to the cloud, will it become easier or harder for them to get PCI DSS certification?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Michael Kyritsis
Michael Kyritsis - ACI - London | 04 September, 2017, 08:36

Ketharaman I sense yours is a rhetorical question, because you're too smart to not know the answer! But for everyone else's benefit I'll offer an answer... retails get huge scope reduction by using a payments solution in the cloud especially if it is a P2PE validated solution. But they are never completely out of scope of PCI DSS because (for example) the card number is still embossed on the card. In this sense I agree wholeheartedly with the sentiments of the first commentor - I'm sure the issuers could secure the data at source.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Rodney Farmer
Rodney Farmer - Realtime Transactions - Little Rock | 04 September, 2017, 10:37

That is a strong rebuke for a standard that recently celebrated its 10th anniversary.  The standard sets out requirements and ongoing process for segmenting comm networks having sensitive data, encrypting the issuing and acquiring data bases, and encrypting the channel/message and tokenizing the payment credentials.  

Every player (cardholders, banks, merchants, acquirers, processors)  in the payment value chain is susceptible to criminals trying to steal the data; thus, we all must take responsibility for our area.  If anyone in the chain fails to provide sufficient protection, we all lose.  

Large and small merchants alike need only take a certified POS device from a certified provider and avoid doing anything to circumvent the built-in security. Problem solved for a few hundred quid.  Of course, as the data is needed to manage ones business, careful management of payment credentials is an absolute requirement that is all too often overlooked (50% apparently).  

The focus for the past few years has been to "devalue the data", making it useless to the criminal.  Preventing access to data and sufficiently encrypting and tokenizing the same will eventually have the desired result if the standards are applied.  I encourage you to make use of the standards and resources available in the market today. 

Alternatively, I would like to know your thoughts on what is now "fit for purpose", today?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 04 September, 2017, 11:10

@Michael Kyritsis:

TY for your kind words. Brevity might make my question appear rhetorical but it is anything but that.

Let me elaborate: I'm referring to migration of an onprem system to the cloud, not signing up for a new cloud system. For years, the retailer's onprem system has been compliant with various industry certifications viz. PCI-DSS. Now, the retailer wishes to migrate all its systems including Retail ERP, Billing, Payments, and so on to the cloud. Given the scope of systems, the retailer may want to opt for a horizontal cloud platform like AWS or Azure instead of different vertical cloud platforms, one for ERP, another for payments, and so on. My question is: In that situation, is it possible for the retailer to ask Amazon / Microsoft to only make their payment system complaint with PCI-DSS?

In a broader sense, my question is equally applicable to other industries e.g. Banking, where different systems need to be compliant with different industry regulatory standards (e.g. OFAC) and industry certifications (e.g. PCI DSS). If a company moves all its systems - including payments - to the cloud, will the cloud provider provide OFAC compliance for System A, D and E and PCI-DSS compliance for System B, F"?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Michael Kyritsis
Michael Kyritsis - ACI - London | 05 September, 2017, 19:17

@Ketharaman: Migration of an onprem system to the cloud would give a retailer very few benefits, but the PCI DSS standards do cater for it in Appendix A “Additional PCI DSS Requirements for Shared Hosting Providers”. It contains this note: Even though a hosting provider may meet these requirements [separation of entities, and physical security measures], the compliance of the entity that uses the hosting provider is not guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable. In answer to your question Amazon / Microsoft cannot make the retailer's payment system complaint with PCI-DSS, they can only provide a data centre the has the necessary requirements for the retailer to achieve PCI-DSS. In our experience the overwhelming majority of retailers have already moved, or are looking to move, to a SaaS solution because they don’t want to be burdened with the technical requirements of security, compliance with the card scheme mandates, etc.

@Rodney: my thoughts on what is now "fit for purpose" today is to separate CNP from card-present. Why is the same PAN embossed on the card, encoded in the magstripe, and in the CHIP? If they were 3 different numbers (all linked to the same account) a retailer could decide to accept EMV only (in those markets where it is already very well established) and any data passing through the payments system would be useless to fraudsters trying to create counterfeit cards or do fraudulent CNP transactions.

1 thumb up! 1 thumb up! (Log in to thumb up)
Rodney Farmer
Rodney Farmer - Realtime Transactions - Little Rock | 06 September, 2017, 07:12

Agreed.  In 2007, I was issued a MC branded pin-only-debit card by an Austrian bank.  The number on the face of the card is merely a reference number.  It has no magstripe and the chip contains the real number.  The point is that everything you mentioned is possible but requires the market players to adopt it including the consumer.  

Payment markets are set to fragment in its deployment of cards and other payment solutions.  Europe has/will regulate standards with the implementation of PSD2 and ultimately disintermediate cards altogether.  

Mobile will help us accomplish fit-for-purpose via instant issue, HCE, user driven card consoles, new security features like 2Factor, etc.  The thing to remember is from where we came.  Today security concerns and CNP e-comm are ubiquitous and card issuers have been unwilling to set limitations of use that would diminish the use of cards.  Top of wallet with interchange income is more important that fraud losses.  With thieves continuing to improve and payments becoming more competitive, the evolution will only continue.  

Improvement is, in this case, the enemy of Innovation.   

2 thumb ups! 2 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 06 September, 2017, 08:36

@Michael Kyritsis:

Okay, I take that as a NO on public cloud!

This is the first time I'm hearing that Amazon / Microsoft can provide a datacenter. In that case, it's a no-brainer that a given company can do whatever it wants on its dedicated datacenter to make some systems compliant with X reg and some other systems compliant with Y certification. My question was specifically related to public cloud and was based on the assumption that Amazon / Microsoft will find datacenter to be the antithesis of their public cloud offering. 

There are others on Finextra who make a strong case for a company to move its existing systems to public cloud rather than replace them with SAAS e.g. https://www.finextra.com/blogs/fullblog.aspx?blogid=14425. So, I guess, it's different strokes for different folks!

1 thumb up! 1 thumb up! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Kmart suffers another card data breach

Kmart suffers another card data breach

01 June 2017  |  11685 views  |  0 comments | 7 tweets | 6 linkedin
POS malware hits 'most' US Chipotle restaurants

POS malware hits 'most' US Chipotle restaurants

29 May 2017  |  7907 views  |  0 comments | 8 tweets | 11 linkedin
Intercontinental card data breach hits 1200 hotels

Intercontinental card data breach hits 1200 hotels

19 April 2017  |  7852 views  |  0 comments | 6 tweets | 10 linkedin
Hackers hit 6000 web stores to steal card data

Hackers hit 6000 web stores to steal card data

14 October 2016  |  10432 views  |  10 comments | 11 tweets | 21 linkedin
Retailers flag PCI anti-trust concerns with FTC

Retailers flag PCI anti-trust concerns with FTC

03 June 2016  |  8722 views  |  2 comments | 6 tweets | 5 linkedin

Related company news

 

Related blogs

Create a blog about this story (membership required)
visit www.sibos.comvisit www.temenos.comdownload the paper now

Top topics

Most viewed Most shared
AXA launches blockchain to cover late flight compensationAXA launches blockchain to cover late flig...
11499 views comments | 16 tweets | 30 linkedin
SBI Ripple Asia advances on South KoreaSBI Ripple Asia advances on South Korea
9124 views comments | 16 tweets | 1 linkedin
European Commission makes fintech a priority in supervisory shakeupEuropean Commission makes fintech a priori...
8603 views comments | 34 tweets | 46 linkedin
hands typing furiouslyBlockchain is a new way of thinking?
7240 views 2 | 10 tweets | 1 linkedin
Sophia the humanoid gets UBS conference speaking gigSophia the humanoid gets UBS conference sp...
7009 views comments | 16 tweets | 19 linkedin

Featured job

circa £250K total package
London

Find your next job