Security

Risky business: Here's why your payment system may be vulnerable to cyberattack

Many firms, especially those in hospitality and retail, fail to comply with payment card industry data security standards and protect against breaches, according to a new report from Verizon.

As cybercrime rates continue to rise, firms must pay attention to payment card security to avoid a potential breach and the theft of cardholder data. Enter the Payment Card Industry Data Security Standard (PCI DSS), which was created to help businesses that take card payments protect their systems from cyberattacks. However, many organizations fail to comply with these standards, and that failure is directly correlated to their ability to defend themselves from cyberthreats, according to the Verizon 2017 Payment Security Report, released Thursday.

Overall PCI compliance has increased among global businesses, according to the report, with more than 55% of organizations studied passing their interim assessment in 2016—up from 48% the year before. But this means that nearly half of retailers, restaurants, hotels, and other businesses that accept card payments are failing to maintain compliance, Verizon noted.

Verizon investigated several payment card data breaches, and found that no organization that experienced a breach was fully compliant at the time of the breach. These organizations also showed lower compliance on 10 out of the 12 PCI DSS key requirements, the report stated.

"There is a clear link between PCI DSS compliance and an organization's ability to defend itself against cyberattacks," Rodolphe Simonetti, global managing director for security consulting at Verizon, said in a press release. "Whilst it is good to see PCI compliance increasing, the fact remains that over 40 percent of the global organizations we assessed - large and small - are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year — and many much sooner."

SEE: 10 ways to minimize fileless malware infections

Certain industries were more likely to achieve compliance than others, the report found. The IT services industry achieved the highest compliance levels in 2016, at 61%, followed by 59% of financial services organizations. On the lower end, retail achieved 50% compliance, while hospitality achieved only 43%.

Retail's greatest compliance challenges include security testing, encrypted data transmissions, and authentication. In hospitality, they include security hardening, protecting data in transit, and physical security, according to the report.

Many firms fail to implement basic PCI controls, such as security testing and penetration tests. In 2016, companies that failed their interim assessment had an average of 13% of controls missing, Verizon found.

"It is no longer the question of 'if' data must be protected, but 'how' to achieve sustainable data protection," Simonetti said in the release. "Many organizations still look at PCI DSS controls in isolation and don't appreciate that they are inter-related - the concept of control lifecycle management is far too often absent. This is often the result of a shortage of skilled in-house professionals."

Verizon offers the following five tips to help companies comply with PCI DSS over time and keep their customer's payment data safe:

1. Consolidate for ease of management. Adding more security controls is not always the answer, as the PCI DSS Standard already contains numerous interlinked data protection standards and regulations. Organizations should be able to use this to consolidate controls, making them easier to manage overall.

2. Invest in developing expertise. Organizations should invest in their people to develop and maintain their knowledge of how to enhance, monitor and measure the effectiveness of controls in place.

3. Apply a balanced approach. Companies need to maintain an internal control environment that is both robust and resilient if they want to avoid controls falling out of compliance.

4. Automate everything possible. Applying data protection workflow and automation can be a huge asset in control management, but all automation also needs to be frequently audited.

5. Design, operate, and manage the internal control environment. The performance of each control is inter-linked, so if there is a problem at the top, it will impact the performance of the controls at the bottom. It is essential to understand this in order to achieve and maintain an effective and sustainable data protection program.

istock-542015140.jpg
Image: iStockphoto/jacoblund

Also see

About Alison DeNisco

Alison DeNisco is a Staff Writer for TechRepublic. She covers CXO and the convergence of tech and the workplace.

Editor's Picks

Free Newsletters, In your Inbox