Payment security compliance declines – Only 1 in 3 companies globally make the grade and just 1 in 5 in the Americas
November 12 2019 - 12:01AM
Payment security compliance has declined for the second year in a
row, with organizations based in the Americas lagging behind
worldwide counterparts, Verizon’s 2019 Payment Security Report
(2019 PSR) flags.
When Visa Inc. initially launched the PCI DSS in 2004, many
assumed that organizations would achieve effective and sustainable
compliance within five years. Now, 15 years on, the number of
businesses achieving and maintaining compliance has dropped from
52.5 percent (2018 PSR) to a low of just 36.7 percent worldwide.
Geographically, organizations in the Asia-Pacific (APAC) region
show a stronger ability to maintain full compliance at 69.6
percent, compared to 48 percent in Europe, Middle East and Africa
(EMEA) and just 20.4 percent (1 in 5) in the Americas.PCI DSS helps
businesses that offer card payment facilities protect their payment
systems from breaches and theft of cardholder data, as shown in the
Verizon Data Breach Investigations Report series. Compliance is
measured on an organization’s ability to meet — and importantly,
maintain — the standard. “After witnessing a gradual increase
in compliance from 2010 to 2016, we are now seeing a worrying
downward trend and increasing geographical differences,” said
Rodolphe Simonetti, global managing director for security
consulting at Verizon. “We see an increasing number of
organizations unable to obtain and maintain the required compliance
for PCI DSS, which has a direct impact on the security of their
customers’ payment data. With the latest version of the PCI DSS
standard 4.0 launching soon, businesses have an opportunity to turn
this trend around by rethinking how they implement and structure
their compliance programs.”
New Verizon framework helps businesses
navigate payment security complianceData protection and
compliance present daily challenges. Many organizations believe
they can use a one-size-fits-all script to achieve effective and
sustainable data protection. However, in the real world, security
is more complicated. Simonetti continues, “Many organizations spend
a lot of time and money creating data protection compliance
programs, but often these are ineffective — looking good on paper
but not able to withstand the scrutiny of a professional security
assessment. We still see Chief Information Security Officers
focusing on how to maintain baseline control activities rather than
looking at data protection competency and maturity. What is needed
is a clear and easy-to-understand navigational guide to help them
deliver measurable results and predictable outcomes.”In previous
Payment Security Reports, Verizon developed methodology to help
organizations manage their Data Protection Compliance Programs
(DPCPs). These have now been combined to form the Verizon 9-5-4
Compliance Program Performance Framework — a guideline which helps
develop and improve capability and process maturity. The 9-5-4
Framework is designed to help organizations achieve repeatable,
consistent and predictable outcomes by offering guidance on how to
map, monitor and report the status of sustainability and
effectiveness for each of the 9 Factors of Control Effectiveness
and Sustainability — including control environment, control design,
control risk, control robustness, control resilience, control
lifecycle management, performance management, maturity measurement
and self-assessment. This is across each of the essential 4 lines
of assurance — individual accountability, risk management and
compliance teams, internal audit, external audit and regulators —
and is achieved by evaluating the 5 Constraints of Organizational
Proficiency — capacity, capability, competence, commitment
and communication.
Link reinforced between lack of compliance
and breachesThe report also includes data from the Verizon
Threat Research Advisory Center (VTRAC), which demonstrates that a
compliance program without the proper controls to protect data has
a more than 95 percent probability of not being sustainable and is
more likely to be a potential target of a cyberattack.“For years,
we have discussed the close correlation between the lack of PCI DSS
compliance and cyber breaches,” concludes Simonetti. “In this
year’s report, we included even more data from the Verizon VTRAC
team, the authors of Verizon’s Data Breach Investigation series, to
add more depth to this discussion. Our data shows that we have
never investigated a payment card security data breach for a PCI
DSS compliant organization. Compliance works! ”
About the Verizon 2019 Payment Security
ReportThis year's report focuses on performance
visibility, control and maturity of DPCPs. It includes results from
302 PCI DSS engagements for a range of organizations, including
Fortune 500 and large multinational firms in more than 60
countries. The assessments were conducted by Verizon's team of PCI
Qualified Security Assessors (QSAs), as well as large third-party
QSAs, including ControlScan, Foregenix, MegaplanIT and
Schellman. Similar to Verizon's Data Breach Investigations
Report series, the 2019 PSR is based on actual casework with a
specific focus on financial services (50.7 percent); IT services
(17.5 percent), retail (19.9 percent) and hospitality (10.6
percent). Geographies include the Americas (50.0 percent), APAC
(20.0 percent), and EMEA (30.0 percent).Verizon Communications Inc.
(NYSE, Nasdaq: VZ), headquartered in New York City, generated
revenues of $130.9 billion in 2018. The company operates America’s
most awarded wireless network and the nation’s premier all-fiber
network, and delivers integrated solutions to businesses worldwide.
With brands like Yahoo, TechCrunch and HuffPost, the company’s
media group helps consumers stay informed and entertained,
communicate and transact, while creating new ways for advertisers
and partners to connect. Verizon’s corporate responsibility
prioritizes the environmental, social and governance issues most
relevant to its business and impact to society.
VERIZON’S ONLINE MEDIA CENTER: News releases, stories, media
contacts and other resources are available at
www.verizon.com/about/news/. News releases are also available
through an RSS feed. To subscribe, visit
www.verizon.com/about/rss-feeds/.
Media
Contacts:Clare Ward (EMEA) +44 (0) 118 905
2501clare.ward@uk.verizon.com |
Nil Pritam (APAC)+65 9277
9048nilesh.pritam@sg.verizon.com |
Najuma
Thorpe+1.732.427.2304najuma.thorpe@verizon.com |
Verizon Communications (NYSE:VZ)
Historical Stock Chart
From Mar 2024 to Apr 2024
Verizon Communications (NYSE:VZ)
Historical Stock Chart
From Apr 2023 to Apr 2024