Eighty per cent of global companies including retailers, financial institutions and hospitality firms, failed tests in 2014 to determine whether they were compliant with the Payment Card Industry Data Security Standard (PCI-DSS), according to a Verizon compliance report.
Despite a rise in the number of organisations globally that were fully compliant compared with the previous year – 20 per cent were compliant in 2014 compared with just 11.1 per cent in 2013 – the results of the assessment are worrying as PCI DSS is thought of as the most basic industry-wide standard to thwart cyber attacks, and four-fifths of companies remain non-compliant.
Verizon said that of all the data breaches in the past 10 years that it has looked at, not a single company was found to be compliant at the time the breach occurred. It also found that most companies only run upgrades of security software and hardware just before an annual compliance check.
The 12 PCI-DSS requirements are: maintaining firewalls, protecting stored data, encrypting transmission of data, regularly updating anti-virus software, developing and maintaining secure systems and applications, restricting access to data on a need-to-know basis, assigning a unique ID to each person with computer access, regularly monitoring and testing networks and maintaining a policy that addresses information security.
Verizon assessed more than 5,000 merchants in 30 countries and found that overall compliance was up by 18 percentage points for 11 out of the 12 PCI-DSS requirements.
Slava Gomzin, a retail security expert and the author of “Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions”, believes that the trouble with PCI-DSS measures is that they are essentially backward looking.
He believes they have proved increasingly ineffective at helping organisations protect against a range of emerging threats to their PoS systems – despite frequent point upgrades to the PCI-DSS standard.
Indeed, the standard has been widely criticised as a prescriptive and expensive tick-box exercise, designed to address the type of security breaches that occurred in the early 2000s. Since then cyber criminals have found new vulnerabilities in merchants that they can exploit.
In the best-known recent example of a major breach, US convenience store Target was successfully compromised via a spear phishing attack on a third-party supplier, with the details of as many as 110 million customers stolen. Target was 100 per cent compliant with the PCI-DSS standard.