At 38.5%, Hospitality has the Lowest Payment Security Compliance Score
After documenting improvements in Payment Card Industry Data Security Standard (PCI DSS) compliance over the past six years (2010 – 2016), Verizon’s 2018 Payment Security Report (PSR) now reveals a concerning downward trend with companies failing compliance assessments and perhaps, more importantly, not maintaining - full compliance.
The Payment Card Industry Data Security Standard (PCI DSS) helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data. PCI DSS compliance has been shown (via the Verizon Data Breach Investigations Report series) to help protect payment systems from both data breaches and theft of cardholder data, so this trend is alarming.
Data gathered by Verizon’s PCI DSS qualified security assessors (QSAs) during 2017 demonstrates that PCI compliance is decreasing amongst global businesses, with only 52.4 percent of organizations maintaining full compliance in 2017, compared to 55.4 percent in 2016. Regional differences are highlighted, demonstrating that companies in the Asia-Pacific region are more likely to achieve full compliance at 77.8 percent, compared to those based in Europe (46.4 percent) and the Americas (39.7 percent). These differences can be attributed to the timing of geographical compliance rollout strategies, cultural appreciation of awards/recognition, or the maturity of IT systems.
By business sector, IT services remain on top when it comes to compliance, with over three-quarters of organizations (77.8 percent) achieving full status. Retail (56.3 percent) and financial services (47.9 percent) were significantly ahead of hospitality organizations (38.5 percent), which demonstrated the lowest compliance sustainability. With businesses often leveraging PCI DSS compliance efforts to meet the security requirements of data protection regulations, such as the European Data Protection Regulation (GDPR), this gap between the various business sectors that deal with electronic payments on a daily basis is significant.
The report also found that hospitality came in dead last, compared to all other industries, when it comes to being fully compliant for: maintaining a firewall configuration (69.2%), do not use vendor supplied defaults (69.2%, a drop of 20.8pp), protect stored cardholder data (69.2%), and protect data in transit (61.5%), protect against malicious software (76.9%, a drop of 18.1pp), restrict access (84.6%), authenticate access (53.8% - a drop of 41.2pp and one of the biggest drops Verizon has ever seen in all its years of reporting), control physical access (53.8%, a drop of 26.2pp), track and monitor access (61.5%—a drop of 28.5pp, implying a decrease in vigilance and attention to access control).
When it comes to protecting data in transit, the report reprimanded the hospitality industry, saying: "At 61.5%, hospitality companies saw a 28.5pp drop in compliance. Outdated systems and legacy connections to acquirers often created a gap in 4.1.a (Identify all locations where CHD is transmitted or received over open/public networks). Showing that systems were set to the highest vendor-recommended settings and documenting Appendix A2, for instances of SSL/early TLS, were the greatest hang-ups for hospitality companies. This is a failure of control robustness, the ability to withstand ever-evolving threat landscapes and exploits."
“Data-sharing and cross-industry collaboration is vital to understand the evolving threat landscape and to progress global payment security. As evident in this report, organizations continue to face challenges maintaining high-levels of security and demonstrating ongoing compliance in rapidly changing environments,” said Troy Leach, Chief Technology Officer of the PCI Security Standards Council. “Organizations should pay close attention to the findings in the report to remain vigilant for key learnings on how to remain secure. Compliance should never be seen as the end goal for security but rather a measurement for an organization’s continued success in protecting data.”
To help businesses comply with PCI DSS standards, Verizon developed nine factors for businesses to consider. Verizon's aim was to provide a clear structure and methodology to first help compliance personnel but also to equip them to open compliance dialogue with their board members. For compliance process to be effective, they have to be driven from the top.
- Factor 1: Control Environment: The sustainability and effectiveness of the 12 Key Requirements depends on a healthy Control Environment.
- Factor 2: Control Design: Proper control operation to meet DSS security control objectives depends on sound Control Design.
- Factor 3: Control Risk: Without on-going maintenance (security testing, risk management, etc.), controls can degrade over time and eventually break down. Mitigation of control failures requires integrated management of Control Risk.
- Factor 4: Control Robustness: Controls operate in dynamic business and ever-changing threat environments. They must be robust to resist unwanted change to remain functional and perform to specifications (configure standards, access control, system hardening, etc.).
- Factor 5: Control Resilience: Security controls can potentially still fail, despite adding layers of control for increased robustness, therefore control resilience with proactive discovery and quick recovery from failure is essential for effectiveness and sustainability .
- Factor 6: Control Lifecycle Management: To achieve all of the above it is necessary to monitor and actively manage security controls throughout each stage of their lifecycle from inception to retirement.
- Factor 7: Performance Management: Establishing and communicating performance standards to measure the actual performance of the control environment improves control effectiveness, and promotes predictable outcomes of your data protection and compliance activities, allowing for early identification and correction of performance deviations.
- Factor 8: Maturity Measurement: A control environment should never be stagnant – it must improve continuously. To do so, businesses need a roadmap, a target level of process and capability maturity to track the degree of formality and optimization of processes as indication of how close developing processes are to being complete and capable of continual improvement.
- Factor 9: Self-Assessment: Achieving all of the above requires in-house proficiency – resource capacity (people, processes and technology), capability (supporting processes), competency (skills, knowledge and experience) and commitment (the will to consistently adhere to compliance requirements) – in short a self-assessment proficiency