Despite Payment Card Industry Data Security Standard (PCI DSS) compliance improving significantly in 2020, the cybersecurity threats organisations face are more cunning and evasive than they were even two years ago, the 2022 Verizon Payment Security Report (2022 PSR) reveals. As organisations prepare to implement PCI DSS v4.0, the 2022 PSR provides valuable insights to pivot and adapt to the new Standard.
Verizon’s logical approach to the strategic management of complex compliance challenges appears to be making a positive difference for businesses. This year’s report found that, overall, PCI DSS compliance improved significantly in 2020, with 43.4 percent of organisations maintaining full compliance, compared to 27.9 percent in 2019. Additionally, while over half (56.7%) of organisations failed their interim validation assessment due to one or more security controls omissions, the security control gap still improved substantially, from a high 7.7 percent in 2019 to a low 4.0 percent in 2020.
“Despite compliance improvements, we know that bad actors are still out there and stronger than ever,” said Sampath Sowmyanarayan, CEO, Verizon Business. “Our own 2022 Data Breach Investigations Report (2022 DBIR) found the financial sector continues to be victimised by motivated organised crime, with servers being involved in 90 percent of financial breaches. As a result, working harder on your current strategy is unlikely to move the needle,” Sowmyanarayan continued. “To remain safe in today’s heightened cybersecurity climate, organisations will need to approach their objectives and goals at a project, program and strategic level.”
The COVID-19 pandemic escalated online business activities and payment card transactions, but it also enabled the skillful exploitation of both existing and emerging threats and weaknesses within payment systems and processes. Further complicating the payment security landscape for Chief Information Security Officers (CISOs) and other security practitioners, the PCI SSC recently instituted the most significant rewrite of the DSS since its release in 2004. While a significant step forward, security leaders need to focus their attention and resources on getting up to speed with these new requirements. Released earlier this year, PCI DSS v4.0 will go into effect in 2024.
“Substantial industry feedback drove changes to PCI DSS v4.0,” said Lance Johnson, Executive Director of the PCI Security Standards Council. “Key changes to the standard focus on meeting the evolving security needs of the payments industry, continuously promoting security processes, increasing flexibility for organisations using different methods to achieve security objectives, and enhancing validation procedures.”
Design priorities for PCI DSS v4.0
CISOs and their teams will need to apply a logical, coordinated process to evaluate requirements and constraints of PCI DSS v4.0, while navigating their way through the changes. To help organisations within the payment industry simplify the complexity of these new measures and ensure data security, the 2022 PSR includes a “toolbox” of management models and frameworks useful for negotiating PCI DSS v4.0.
As the report highlights, the challenges organisations encounter with data security and compliance management have identifiable cause-and-effect relationships. The key to achieving ongoing growth and stability of security and compliance program performance is to find a way to focus resources on only the parts within the security environment that are currently limiting or blocking further improvement—the weakest links, system constraints or leverage points. As such, strategic planning, coordination and execution at an operational level is paramount for averting costly data breaches.
Potential impact of 5G on payment card compliance
The appeal of emerging technologies, such as 5G and edge computing, gained significant momentum when the COVID-19 pandemic exposed the weakest links of the financial services industry. The speed and stability of 5G will continue to enhance the mobile experience for the payments industry—providing greater customer security through advanced biometric-based identification and verification methods. It also will provide more secure connections for video conferencing, with participants such as financial professionals and loan counselors.
Financial institutions and merchants will continue to find innovative ways to benefit from 5G-enhanced features, open architecture and Multi-access Edge Computing (MEC) technologies. At the same time, security practitioners need to explore how these new innovations might impact the PCI DSS compliance posture.
About the Verizon Business 2022 Payment Security Repor
Verizon published the industry’s first global analysis of PCI DSS assessments in the 2010 Verizon PCI Compliance Report, now called the Payment Security Report (PSR). Based on global data gathered by PCI DSS qualified security assessors (QSAs) from Verizon and four other external contributors, with additional comparisons between geographic regions (Americas, EMEA and APAC), the report explores why some companies accomplish more than others in their efforts to achieve sustainable and effective data security. Since its inception, the PSR has tracked compliance ups and downs, while keeping a finger on the pulse of the changing payment security landscape.
Read the full Verizon PSR 2022, and learn more about what the Verizon Cyber Security Consulting Payment Security Practice is doing to help organisations prepare for PCI DSS v4.0.