Nearly three quarters of organisations worldwide are not fully compliant with the PCI DSS payment security standards that were established to prevent the theft or leakage of sensitive payment data from websites and applications.
Verizon's latest Business Payment Security Report has revealed that despite the massive theft of payment information from websites all over the world over the past few years, PCI DSS compliance has seen 27.5 percentage point drop since 2016, making organisations even more vulnerable to cyber security threats that are financially motivated.
The report highlighted that the inability of organisations to retain qualified CISOs or security managers and their inability to put in place long-term security strategies is holding them back from fully complying with PCI DSS standards. This lack of seriousness towards the security of payment data is rampant despite the fact that 99% of security incidents involve the theft of payment data.
“Unfortunately we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable,” said Sampath Sowmyanarayan, President, Global Enterprise, Verizon Business.
“The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information. Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers, and consumers,” he added.
The PCI DSS security standards require organisations to implement certain security measures such as protecting payment data with firewalls, using updated antivirus solutions, restricting access to payment card data, encrypting the transmission on card data across networks, updating and patching systems that are used to store data, and conducting vulnerability scans and penetration tests.
The Business Payment Security Report revealed that full PCI DSS compliance, that involves organisations complying with all 12 requirements of the standard, fell from 77.7% in 2016 to just 54.5% in 2019, falling consistently over the past four years. A little over half of all organisations successfully test security systems and processes and only 70.6% of them maintain essential perimeter security controls.
The arrival of the coronavirus pandemic has made things worse for organisations as far as securing their critical digital systems and applications is concerned. In September, research by HackerOne revealed that since businesses have expedited digital initiatives to support remote working, ethical hackers have found over twice as many vulnerabilities in software in 2020 than they were in 2019.
"Budget and staff cutbacks, a rise in cyber attacks, and the great rush to support remote workers have put security teams under significant pressure. Adding to that, the need to develop new COVID-proof solutions means fresh vulnerabilities are inevitable. Traditional security tactics are no longer sufficient to keep up with a rapidly adapting attack surface. New, affordable, and agile solutions need to be found," said Marten Mickos, CEO of HackerOne.