Verizon recently released its 2018 Payment Security Report. During North America PCI Community Meeting in Las Vegas, PCI SSC CTO Troy Leach addresses trends and findings from the report.
Why are reports such as Verizon’s Payment Security Report important for payment security professionals?
Data-sharing and cross-industry collaboration is vital to understand the evolving threat landscape and to progress global payment security. As evident in the Verizon Payment Security Report, organizations continue to face challenges maintaining high-levels of security and adjustments to controls in rapidly changing environments. Organizations should pay close attention to the findings in the report to remain vigilant for key learnings on how to remain secure. Compliance should never be seen as the end goal for security but rather a measurement for an organization’s continued success in protecting data.
What are your thoughts on the news that compliance rates are down this year?
As a Standards body, the PCI SSC is not involved with the enforcement of compliance or have visibility into survey results. Having said that, the report underlines the fact that the Standards, when implemented and maintained properly, help businesses safeguard payment data and detect, mitigate and prevent criminal attacks and breaches. Organizations must remain vigilant and make payment card security an everyday priority.
Maintaining compliance continues to be a challenge for organizations. According to the report nearly half (47.5%) of the organizations assessed for interim PCI DSS compliance validation had not maintained all DSS controls.
Sound security requires a daily, coordinated focus. Compliance should not be seen as “checkbox” activity but rather an everyday activity to protect payments against new threats that appear continuously.
Why is this concerning and what can organizations do to maintain security controls?
The first priority is to determine if opportunities exist to minimize risk. This could be by eliminating unnecessary storage of payment data, upgrading payment terminals to encrypt cardholder data as part of a P2PE solution, or isolating payment data from the rest of the company’s infrastructure.
Sometime the simplest answer is not adding more security resources but re-evaluating the method in which payments are accepted. Newer technology and payment methodologies may provide additional business and security advantages to reduce the overall effort to maintain security controls.
For the residual risk that remains, isolating payment data to smaller segments will allow organizations to focus attention for monitoring and other security controls on critical assets.
Finally, organizations should view most of the PCI DSS requirements as demonstration of process for ongoing security of cardholder data. Not just a point in time.
This starts with building a culture of continuous security of payment card data at all times.
Can you share your thoughts on how the PCI Security Standards will evolve based on the threat landscape?
Cybercriminals are relentless. Botnets and other automated attacks are increasing the speed and volume of threats to payment card data. The best way to thwart these attacks is to make the data of little to no value to criminals.
PCI SSC encourages organizations implement a multi-layered approach that includes dynamic chip technology at the point-of-sale, point-to-point encryption and tokenization to make payment card data useless in the hands of hackers and fight back against cyberthreats.
