Credit-card regulation compliance down, but being compliant boosts cybersecurity

In the olden times, nearly all businesses took checks, and all happily accepted cash payments. Stores began placing promotional stickers on their doors, beckoning to customers, with the promise that they accepted credit cards. These days, there are stores which do not accept cash and take nothing but credit and debit cards. More and more locations are accepting Apple Pay. Some vendors even accept PayPal payments, and only need to check email on their smartphone to ensure a customer's payment has gone through. Still, credit cards remain the most popular way for people to make purchases, and every organization that accepts them must concede to the payment card industry (PCI) standards compliance, and assure their customers that they will keep their private information secure.

Since 2003, organizations have been required to comply with payment-card industry regulations and to be assessed against payment-card data-security standards. But many organizations are going through the machinations of annual validation, so they need to move data protection and compliance processes and capabilities to a more substantive level. The lack of a sound strategy to measure data protection effectiveness and sustainability, created an unnecessary financial loss, in companies' quest for data protection and does not allow an organization to get better at maintaining compliance. This approach may lead to a false sense of security . Many organizations appear stuck in a reactive cyclic pattern, focusing only on meeting baseline compliance requirements, and not looking ahead at a more proactive way/

SEE: 10 tips for new cybersecurity pros (free PDF) (TechRepublic)

For the last nine years, Verizon has published the Payment Security Report (PSR), which provides an in-depth perspective on the regulatory landscape of the payment card industry, as well as on the value and performance of the Payment Card Industry Data Security Standard (PCI DSS).

The just-released, 2019 edition of the PSR focuses on visibility, control, and maturity and includes an analysis of realigning a compliance program to improve goals and design a sustainable path to better data-protection maturity. It also builds on established factors from previous PSRs.

Key objectives

Verizon listened to the requests of CISOs (Chief Information Security Officers) for guidance on key objectives:

1. Sustainable control effectiveness

2. Predictable program performance and outcomes

The report also includes new tools, like the Verizon 9-5-4 Compliance Program Performance Evaluation Framework (DCCEF) to push compliance management to higher levels of assurance and predictability.

2019 main points

The 2019 PSR covers: the current global state of compliance, and how organizations are maintaining (and not maintaining) PCI DSS compliance:

PCI DSS, which was established in 1999, refers to cardholder data protection programs. Visa launched its program in 2004 and apparently assumed that organizations would achieve effective and sustainable compliance within five years. In 2010, Verizon began the report that tracked the percentage of organizations that maintain compliance by measuring PCI DSS compliance during interim assessment l, as an indication of full compliance. Full compliance has ranged from 22% in 2009 to a low of 7.5% in 2011, with a high of 55.4% in 2016.

Low numbers in active compliance

The report this year reveals that just more than a third (36.7%) of organizations were actively maintaining PCI DSS programs in 2018. This downward trend (from 2016's aforementioned high) has caused major concern.

Many companies create programs that only look good on paper, but cannot withstand the scrutiny of a professional security assessment. Programs that have failed as inadequate or overly complex and stem from a lack of proficiency in designing, implementing, monitoring and evaluating a DPCP.

The report also reveals that there is a strategy to data protection, in which companies must assess risk and plan several steps ahead, each executed strategically. CISOs need a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes.

Organizations need to be able to react effectively to changes in the control environment. That's tough to do when limited to a task-based approach to compliance programs.

The global challenge with payment security is not the inherent lack of sustainability or control effectiveness. These are merely symptoms of a widespread problem caused by inadequate strategy, which originates from a lack of proficiency in organizations to design, implement, monitor and evaluate for a sustainable data protection compliance program.

Control objectives

The three fundamental control objectives of internal controls (ORCs):

The entire objective is based in the company's desire to create convenience for customers, encourage them to return, while still maintaining tight, security that can't be breached.

Critical questions

The report then outlines critical questions to ask and answer to achieve the most critical goals:

Addressing these questions may seem daunting, but once a company has carefully reviewed and addressed each of these questions, they will grow closer to complete compliance.

Also see