Patchy PCI compliance putting consumer credit card data at risk
Good intentions dashed by weary admin's ad hoc Wi-Fi, hotel's wack-ass data storage
Nearly half of global organisations fail to comply with the security standards laid out by the Payment Cards Industry (PCI) to ensure customer payment data is protected, according to a new report.
Verizon’s latest Payment Security Report (PSR) found that overall PCI compliance has increased among global businesses, with 55.4 per cent of organisations Verizon assessed passing their interim assessment in 2016. This is an increase from 2015, when only 48.4 per cent of organisations achieved full compliance during their interim validation.
By failing to comply with the PCI Data Security Standard (DSS), organisations are putting consumers at increased risk of payment fraud, Verizon warns. While the number of companies complying with the PCI DSS has increased compared to previous years, non-compliant organisations are failing to implement more controls than ever before.
“While it is good to see PCI compliance increasing, the fact remains that over 40 per cent of the global organisations we assessed – large and small – are still not meeting PCI DSS compliance standards," said Rodolphe Simonetti, global managing director for security consulting at Verizon. “Of those that pass validation, nearly half fall out of compliance within a year – and many much sooner.”
The hospitality industry – hotels, restaurants, bars and the like – were the worst payment security complacence culprits, scoring the lowest percentage of any industry for achieving full PCI DSS compliance at their interim validation.
In one recorded example, a hotel was found to be storing almost a decade’s worth of receipts containing full, unmasked card numbers next to its laundry room. Security hardening, protecting data in transit and physical security are all issues for the hospitality industry in general.
In another case, a financial services organisation seeking exemption from the Wi-Fi requirements of PCI DSS was surprised to learn that it did in fact have a wireless network operating in its building, a shortcoming that caused it to fail its security audit. An IT admin had got tired of traipsing from the server room in the basement to the IT department on the third floor, and had installed a router to access the servers from his desk.
About three fifths (61.3 per cent) of IT services organisations achieved full compliance during interim validation in 2016, followed by 59.1 per cent of financial services organisations (including insurance companies) and retail (50 per cent).
Troy Leach, chief technology officer for the PCI Security Standards Council, said: "The report highlights the challenges organisations have to consistently maintain security controls on an ongoing basis, leaving their cardholder data environments vulnerable to attack. This trend was a key driver for changes introduced in PCI Data Security Standard version 3.2, which focuses on helping organisations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process.”
Verizon’s Payment Security Report is based on actual casework, encompassing the results from thousands of real-world PCI compliance assessments. These assessments are run by Verizon's team of PCI Qualified Security Assessors for Fortune 500 and large multinational firms in more than 30 countries.
The report can be downloaded here. ®