In the past, nearly all businesses took checks, and all happily accepted cash payments. Stores began placing promotional stickers on their doors, beckoning to customers, with the promise that they accepted credit cards.
Now, some stores do not accept cash and take nothing but credit and debit cards. More and more locations are accepting Apple Pay or Samsung Pay as a mobile payment. Some vendors even accept PayPal payments, and only need to check email on their smartphone to ensure a customer’s payment has gone through. Still, credit cards remain the most popular way for people to make purchases, and every organization that accepts them must concede to the payment card industry (PCI) standards compliance, and assure their customers that they will keep their private information secure.
Since 2003, organizations have been required to comply with payment-card industry regulations and to be assessed against payment-card data-security standards. But many organizations are going through the machinations of annual validation, so they need to move data protection and compliance processes and capabilities to a more substantive level. The lack of a sound strategy to measure data protection effectiveness and sustainability, created an unnecessary financial loss, in companies’ quest for data protection and does not allow an organization to get better at maintaining compliance. This approach may lead to a false sense of security. Many organizations appear stuck in a reactive cyclic pattern, focusing only on meeting baseline compliance requirements, and not looking ahead at a more proactive way.
For the last nine years, Verizon has published the Payment Security Report (PSR), which provides an in-depth perspective on the regulatory landscape of the payment card industry, as well as on the value and performance of the Payment Card Industry Data Security Standard (PCI DSS).
The 2019 edition of the PSR was just released and focuses on visibility, control, and maturity and includes an analysis of realigning a compliance program to improve goals and design a sustainable path to better data-protection maturity. It also builds on established factors from previous PSRs.
Verizon listened to the requests of CISOs (Chief Information Security Officers) for guidance on key objectives:
1. Sustainable control effectiveness
2. Predictable program performance and outcomes
The report also includes new tools, like the Verizon 9-5-4 Compliance Program Performance Evaluation Framework (DCCEF) to push compliance management to higher levels of assurance and predictability.
2019 main points
The 2019 PSR covers: the current global state of compliance, and how organizations are maintaining (and not maintaining) PCI DSS compliance:
- Important compliance program design considerations
- Insights into data breach correlation and incident preparedness
- Mobile payment security trends
- A PCI DSS compliance reference calendar
- Incident preparedness guidance
PCI DSS, which was established in 1999, refers to cardholder data protection programs. Visa launched its program in 2004 and apparently assumed that organizations would achieve effective and sustainable compliance within five years. In 2010, Verizon began the report that tracked the percentage of organizations that maintain compliance by measuring PCI DSS compliance during interim assessment l, as an indication of full compliance. Full compliance has ranged from 22% in 2009 to a low of 7.5% in 2011, with a high of 55.4% in 2016.
Low numbers in active compliance
The report this year reveals that just more than a third (36.7%) of organizations were actively maintaining PCI DSS programs in 2018. This downward trend (from 2016’s aforementioned high) has caused major concern.
Many companies create programs that only look good on paper, but cannot withstand the scrutiny of a professional security assessment. Programs that have failed as inadequate or overly complex and stem from a lack of proficiency in designing, implementing, monitoring and evaluating a data protection compliance program (DPCP).
The report also reveals that there is a strategy to data protection, in which companies must assess risk and plan several steps ahead, each executed strategically. CISOs need a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes.
Organizations need to be able to react effectively to changes in the control environment. That’s tough to do when limited to a task-based approach to compliance programs.
The global challenge with payment security is not the inherent lack of sustainability or control effectiveness. These are merely symptoms of a widespread problem caused by inadequate strategy, which originates from a lack of proficiency in organizations to design, implement, monitor and evaluate for a sustainable data protection compliance program.
The three fundamental control objectives of internal controls (ORCs):
- Operation objectives The effectiveness and efficiency of the data protection and compliance operations
- Reporting objectives The reliability, timeliness and transparency of data protection and compliance reporting
- Compliance objectives Compliance with regulations, not merely on paper, but based on evidence that demonstrably provides reasonable assurance that objectives are achieved and maintained under a framework with an effective system of internal controls.
The entire objective is based in the company’s desire to create convenience for customers, encourage them to return, while still maintaining tight, security that can’t be breached.
The report then outlines critical questions to ask and answer to achieve the most critical goals:
- What data do you have, where is it and how does it flow? Are you sure you know where all your data is, and who is responsible for it? How do you keep track of the data you have? Do you know exactly where all the data is that needs to be protected? How much control do you have over sensitive data flows through your environment? Are you tracking all locations? In real time?
- Are you secure enough? How confident are you about the protection of your data? How do you know your payment card data is secure? Based on what evidence? Which metrics do you track to answer this question? Does compliance mean your data really is secure?
- How confident are you that the right controls are effective and in the right places?How does your control design process identify the controls that are needed? What evidence do you have for the effectiveness of your controls? Do you measure control effectiveness for all controls?
- How predictable is your DPCP performance? With how much confidence can you predict the outcome of your key DPCP objectives, and can you do so at any point in time?
- How do you ensure the quality and durability of your key data protection and compliance processes? Do you know what those processes consist of? How repeatable and consistent are your key processes? Can you predict success or failure with a degree of certainty ahead of time?
- How quickly can you detect and respond to policy, standard and procedure deviations? How do your expectations on event detection and incident response meet reality? What about your expectations of response with corrective actions?
- Do you have controls in place to measure the effectiveness of your DPCP implementation and maturity strategy? How well does it align with industry frameworks, and is it able to meet your control objectives? Does your strategy cover all the essential bases, or do you have ongoing gaps in your DPCP strategy? How do you know that you are prioritizing the right DPCP activities at the right time?
- Did you prioritize the correct objectives? With resources being limited, how do you know your team is spending time on the right tasks?
- How well are you managing the five Constraints of Organizational Proficiency: capacity, capability, competence, commitment and communication? Do you have visibility into your organizational ability to manage each of the five constraints? How well do you understand the 9 Factors of Control Protection Effectiveness and Sustainability? What target maturity levels are you working to achieve in the long term?
- Do you know where you are with control effectiveness and sustainability, and what your organization’s capability will be in one year’s time?
Addressing these questions may seem daunting, but once a company has carefully reviewed and addressed each of these questions, they will grow closer to complete compliance.