Verizon PSR: APAC companies lead in payment security compliance

Photo Credit:john_99/iStcokPhoto

Bucking global trend, 77% of APAC companies outpace counterparts in other regions in maintaining full compliance of the Payment Industry Security Standard (PCI DSS)

According to Verizon’s 2018 Payment Security Report (PSR) released yesterday, full compliance to the standard is only 46.4% of companies in Europe and 39.7% of companies in the Americas.

Verizon said the differences among the regions can be attributed to the timing of geographical compliance rollout strategies, cultural appreciation of awards/recognition, or the maturity of IT systems. 

Globally, the report also reveals full compliance is decreasing for the first time in six years, dropping to 52.4% last year from 55.4% in 2016.

“PCI Compliance standards are slipping across global businesses and this simply can’t continue,” said Rodolphe Simonetti, global managing director for security consulting, Verizon.

PCI DSS helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data. Full compliance to the standard has been proven to help protect payment systems from illegal access of cardholder data, so this trend is alarming.

“Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs. We urge businesses to reassess their measurement methodologies for PCI control effectiveness, and to concentrate on managing the sustainability of their data protection.”

By business sector, the report states IT services remain on top when it comes to compliance, with over three-quarters of organizations (77.8%) achieving full status. Retail (56.3%) and financial services (47.9%) were significantly ahead of hospitality organizations (38.5%), which demonstrated the lowest compliance sustainability.

With businesses often leveraging PCI DSS compliance efforts to meet the security requirements of data protection regulations, such as the European Data Protection Regulation (GDPR), this gap between the various business sectors that deal with electronic payments on a daily basis is significant.

Control effectiveness and sustainability are essential

“For compliance processes to be effective, they need to be driven from the top, but often progress or challenges are not clearly communicated or understood by executives,” Simonetti said.

Verizon has developed nine factors which help businesses sustain their compliance levels. These factors of control effectiveness and sustainability support the 12 key requirements of the PCI DSS standard and are as follows:

  • Factor 1: Control Environment: The sustainability and effectiveness of the 12 Key Requirements depends on a healthy Control Environment.
  • Factor 2: Control Design: Proper control operation to meet DSS security control objectives depends on sound Control Design.
  • Factor 3: Control Risk: Without on-going maintenance (security testing, risk management, etc.), controls can degrade over time and eventually break down. Mitigation of control failures requires integrated management of Control Risk.
  • Factor 4: Control Robustness: Controls operate in dynamic business and ever-changing threat environments. They must be robust to resist unwanted change to remain functional and perform to specifications (configure standards, access control, system hardening, etc.).
  • Factor 5: Control Resilience: Security controls can potentially still fail, despite adding layers of control for increased robustness, therefore control resilience with proactive discovery and quick recovery from failure is essential for effectiveness and sustainability .
  • Factor 6: Control Lifecycle Management: To achieve all of the above it is necessary to monitor and actively manage security controls throughout each stage of their lifecycle from inception to retirement.
  • Factor 7: Performance Management: Establishing and communicating performance standards to measure the actual performance of the control environment improves control effectiveness, and promotes predictable outcomes of your data protection and compliance activities, allowing for early identification and correction of performance deviations.
  • Factor 8: Maturity Measurement: A control environment should never be stagnant – it must improve continuously. To do so, businesses need a roadmap, a target level of process and capability maturity to track the degree of formality and optimization of processes as indication of how close developing processes are to being complete and capable of continual improvement.
  • Factor 9: Self-Assessment: Achieving all of the above requires in-house proficiency – resource capacity (people, processes and technology), capability (supporting processes), competency (skills, knowledge and experience) and commitment (the will to consistently adhere to compliance requirements) – in short a self-assessment proficiency

“Our aim is to provide a clear structure and methodology to firstly help compliance personnel, but also equip them to open compliance dialogue with their board members, making the narrative easier to understand,” Simonetti said.