Firms still struggling with PCI DSS compliance

Firms still struggling with PCI DSS compliance

Despite the wave of costly data breaches over the last few years, nearly half of global firms that accept plastic are still failing to meet Payment Cards Industry (PCI) security standards, according to a report from Verizon.

While overall PCI compliance has increased amongst global businesses, just 55.4% of organisations assessed by Verizon passed their interim assessment in 2016, compared to 48.4% in 2015.

This means that nearly half of retailers, restaurants, hotels and other business that take card payments are still failing to maintain compliance from year to year.

And of all payment card data breaches Verizon investigated, no organisation was fully compliant at the time of breach, and showed lower compliance with 10 out of the 12 PCI DSS key requirements.

Rodolphe Simonetti, global managing director, security consulting, Verizon, says: "There is a clear link between PCI DSS compliance and an organization's ability to defend itself against cyberattacks."

"Whilst it is good to see PCI compliance increasing, the fact remains that over 40% of the global organisations we assessed - large and small - are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year — and many much sooner."

According to the report, IT services achieved the highest full compliance of all key industry groups studied. Globally, about 61% of firms in this sector achieved full compliance, compared to 59% of financial services organisations, 50% of retail firms and 43% of hospitality companies.

Verizon uses an FS industry firm as an example of how standards can be missed. The unnamed outfit sought exemption from the Wi-Fi requirements of PCI DSS but was surprised to learn that it did in fact have a wireless network operating in its building - causing it to fail.

"The IT admin had got tired of traipsing from the server room in the basement to the IT department on the third floor, and so had installed a router to access the servers from his desk," says Verizon.

Troy Leach, CTO, PCI Security Standards Council, says: "The report highlights the challenges organisations have to consistently maintain security controls on an ongoing basis, leaving their cardholder data environments vulnerable to attack.

"This trend was a key driver for changes introduced in PCI Data Security Standard version 3.2., which focus on helping organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process."

Comments: (8)

A Finextra member
A Finextra member 01 September, 2017, 16:451 like 1 like

Hardly surprising. PCI-DSS is the most ludricrous set of standards imposed upon merchants who's sole interest is in wanting to take payments quickly and securely from their customers. The fact that the card schemes have allowed the card details to be compromised and used fraudulently simply demonstrates that cards, as currently used, are no longer fit for purpose. The galling fact is that it's the merchants who are having to invest millions of dollars in shoring up their systems for what is in effect, a lack of leadership and advance planning by the card schemes.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 01 September, 2017, 19:16Be the first to give this comment the thumbs up 0 likes

If retailers move their systems and data to the cloud, will it become easier or harder for them to get PCI DSS certification?

Michael Kyritsis
Michael Kyritsis - ACI - London 04 September, 2017, 08:36Be the first to give this comment the thumbs up 0 likes

Ketharaman I sense yours is a rhetorical question, because you're too smart to not know the answer! But for everyone else's benefit I'll offer an answer... retails get huge scope reduction by using a payments solution in the cloud especially if it is a P2PE validated solution. But they are never completely out of scope of PCI DSS because (for example) the card number is still embossed on the card. In this sense I agree wholeheartedly with the sentiments of the first commentor - I'm sure the issuers could secure the data at source.

Rodney Farmer
Rodney Farmer - Realtime Transactions - Little Rock 04 September, 2017, 10:37Be the first to give this comment the thumbs up 0 likes

That is a strong rebuke for a standard that recently celebrated its 10th anniversary.  The standard sets out requirements and ongoing process for segmenting comm networks having sensitive data, encrypting the issuing and acquiring data bases, and encrypting the channel/message and tokenizing the payment credentials.  

Every player (cardholders, banks, merchants, acquirers, processors)  in the payment value chain is susceptible to criminals trying to steal the data; thus, we all must take responsibility for our area.  If anyone in the chain fails to provide sufficient protection, we all lose.  

Large and small merchants alike need only take a certified POS device from a certified provider and avoid doing anything to circumvent the built-in security. Problem solved for a few hundred quid.  Of course, as the data is needed to manage ones business, careful management of payment credentials is an absolute requirement that is all too often overlooked (50% apparently).  

The focus for the past few years has been to "devalue the data", making it useless to the criminal.  Preventing access to data and sufficiently encrypting and tokenizing the same will eventually have the desired result if the standards are applied.  I encourage you to make use of the standards and resources available in the market today. 

Alternatively, I would like to know your thoughts on what is now "fit for purpose", today?

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 04 September, 2017, 11:10Be the first to give this comment the thumbs up 0 likes

@Michael Kyritsis:

TY for your kind words. Brevity might make my question appear rhetorical but it is anything but that.

Let me elaborate: I'm referring to migration of an onprem system to the cloud, not signing up for a new cloud system. For years, the retailer's onprem system has been compliant with various industry certifications viz. PCI-DSS. Now, the retailer wishes to migrate all its systems including Retail ERP, Billing, Payments, and so on to the cloud. Given the scope of systems, the retailer may want to opt for a horizontal cloud platform like AWS or Azure instead of different vertical cloud platforms, one for ERP, another for payments, and so on. My question is: In that situation, is it possible for the retailer to ask Amazon / Microsoft to only make their payment system complaint with PCI-DSS?

In a broader sense, my question is equally applicable to other industries e.g. Banking, where different systems need to be compliant with different industry regulatory standards (e.g. OFAC) and industry certifications (e.g. PCI DSS). If a company moves all its systems - including payments - to the cloud, will the cloud provider provide OFAC compliance for System A, D and E and PCI-DSS compliance for System B, F"?

Michael Kyritsis
Michael Kyritsis - ACI - London 05 September, 2017, 19:17Be the first to give this comment the thumbs up 0 likes

@Ketharaman: Migration of an onprem system to the cloud would give a retailer very few benefits, but the PCI DSS standards do cater for it in Appendix A “Additional PCI DSS Requirements for Shared Hosting Providers”. It contains this note: Even though a hosting provider may meet these requirements [separation of entities, and physical security measures], the compliance of the entity that uses the hosting provider is not guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable. In answer to your question Amazon / Microsoft cannot make the retailer's payment system complaint with PCI-DSS, they can only provide a data centre the has the necessary requirements for the retailer to achieve PCI-DSS. In our experience the overwhelming majority of retailers have already moved, or are looking to move, to a SaaS solution because they don’t want to be burdened with the technical requirements of security, compliance with the card scheme mandates, etc.

@Rodney: my thoughts on what is now "fit for purpose" today is to separate CNP from card-present. Why is the same PAN embossed on the card, encoded in the magstripe, and in the CHIP? If they were 3 different numbers (all linked to the same account) a retailer could decide to accept EMV only (in those markets where it is already very well established) and any data passing through the payments system would be useless to fraudsters trying to create counterfeit cards or do fraudulent CNP transactions.

Rodney Farmer
Rodney Farmer - Realtime Transactions - Little Rock 06 September, 2017, 07:121 like 1 like

Agreed.  In 2007, I was issued a MC branded pin-only-debit card by an Austrian bank.  The number on the face of the card is merely a reference number.  It has no magstripe and the chip contains the real number.  The point is that everything you mentioned is possible but requires the market players to adopt it including the consumer.  

Payment markets are set to fragment in its deployment of cards and other payment solutions.  Europe has/will regulate standards with the implementation of PSD2 and ultimately disintermediate cards altogether.  

Mobile will help us accomplish fit-for-purpose via instant issue, HCE, user driven card consoles, new security features like 2Factor, etc.  The thing to remember is from where we came.  Today security concerns and CNP e-comm are ubiquitous and card issuers have been unwilling to set limitations of use that would diminish the use of cards.  Top of wallet with interchange income is more important that fraud losses.  With thieves continuing to improve and payments becoming more competitive, the evolution will only continue.  

Improvement is, in this case, the enemy of Innovation.   

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 September, 2017, 08:361 like 1 like

@Michael Kyritsis:

Okay, I take that as a NO on public cloud!

This is the first time I'm hearing that Amazon / Microsoft can provide a datacenter. In that case, it's a no-brainer that a given company can do whatever it wants on its dedicated datacenter to make some systems compliant with X reg and some other systems compliant with Y certification. My question was specifically related to public cloud and was based on the assumption that Amazon / Microsoft will find datacenter to be the antithesis of their public cloud offering. 

There are others on Finextra who make a strong case for a company to move its existing systems to public cloud rather than replace them with SAAS e.g. So, I guess, it's different strokes for different folks!