Verizon has recently published the ‘2019 Payment Security Report’ which highlighted a worrying decrease in PCI compliance. According to new statistics, global compliance is at a record low of just 36.7%, this is now the second year in a row that PCI compliance has decreased. Verizon discovered that the highest PCI compliance rate is in the Asia-Pacific region at 69.6%, 48% in Europe, Africa and the Middle East and 20.4% in the United States.
“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences. For years, we have discussed the close correlation between the lack of PCI DSS compliance and cyber breaches. Our data shows that we have never investigated a payment card security data breach for a PCI DSS-compliant organisation. Compliance works.”Rodolphe Simonetti, global Managing Director at Verizon
Why are so many businesses falling short?
This Payment Card Industry Security Standard was first launched in 2006 with the aim of securing digital card transactions for businesses large and small. This set of standards relates to all businesses who process electronic card payments. For obvious reasons, businesses who process sensitive card data have a responsibility to ensure it is safe and secure. Unfortunately, if businesses continue to lack the sufficient processes and controls to keep financial data safe, a rise in credit card fraud is inevitable.
When the standard was first introduced, it was widely believed that it would help to enforce sustainable security in just a short few years. However, because the PCI standard requires businesses to follow stringent guidelines, achieving compliance can be a convoluted process, especially for those businesses who lack the in-house expertise or appropriate tools. There seems to be a clear correlation between the complexity of the standard and the huge number of businesses falling short. To address this challenge, it is important to seek support from PCI specialists and use advanced security tools which allow you to automate compliance.
There are a number of other common reasons why many businesses fail to achieve PCI compliance. These include: weak passwords, lack of encryption and poor internal reporting. For SMB’s, reporting is a simpler task as they have less data to monitor and protect. However, as larger enterprises have data located on multiple servers, effectively reporting can be far more complex. To achieve PCI readiness, they need to be willing to allocate the necessary budgets to deploy network tracking technologies. Considering many large organisations such as British Airways, Marriot and EE have suffered data breaches involving credit card information, clearly many are still not investing the money needed to protect their data.
What are the consequences of not being PCI compliant?
The consequences of non-compliance can result in hefty fines. When it comes to the financial penalties this depends on the amount of card transactions you process, the number of customers you have, what level of compliance your company should achieve and how long you have been falling short of the standard. On average the fines range from between £40 to £70 per card which is exposed due to a data breach. If a level one company has been non-compliant for 7 months, they could be liable to pay fines of up to £80,000 each month.
Other consequences include:
- Termination of contract with card processor: If you fail to work alongside your acquirer to improve your security in line with the PCI standard, they may be forced to discontinue your relationship (meaning you won’t be able process card payments).
- Your customers financial data will be exposed to hackers, this data will most likely be sold on the dark web to be used for fraudulent purposes.
- Reputational damage resulting in huge losses in revenue. If your customers do not trust your brand to keep their credit card information protected, they will spend their money elsewhere (which could have a huge impact on your finances).
How can you address these challenges?
By deploying advanced security tools, businesses can take the leg work away from preparing for an upcoming audit. By using tools like Tripwire Enterprise, you can streamline the road to PCI readiness. Rather than simply ‘box-checking’ you can focus on what really matters.
How can Tripwire Enterprise do this?
- You can automate compliance and workflows from ready built PCI templates.
- Tripwire can alert you to misconfigurations or changes in your systems as soon as they occur, this allows you to patch security holes in real time.
- Tripwire offers real-time change intelligence as well as step by step guidance to remediate any non-compliance issues.
- This powerful tool allows you to generate fully customisable compliance reports for any time of your choosing. This means you can drastically reduce the time it takes to prepare for cumbersome audits by using automated controls and processes. This valuable capability enables your business to remain compliant 100% of the time.
- It can help to harden your devices to reduce the risk of breaches. This covers: operating systems, POS systems, virtual systems, cloud-based assets, network devices, directory servers and databases block common attack vectors.