Do you have accountability for the security of payments within your organisation?
If so, have you read the Verizon 2019 Payment Security Report (PSR) yet?
For those of you short on time to read the full 2019 PSR, try the Executive Highlights.
This article is based on Verizon’s findings and our own experiences and opinions from the last 12 years (we work with numerous level 1 merchants, QSA’s and acquirers to achieve and maintain Payment Card Industry Data Security Standard (PCI DSS) compliance in UK and Europe).
I explore at a very high level what has gone wrong (the PSR tells us that levels of PCI compliance are falling fast), whether PCI compliance is still necessary or relevant and if it is okay that levels of PCI compliance are reported to be falling.
Considered one of the most authoritative reports in the payments and security industries (published since 2010) the PSR tells us 'Since 2008, Verizon has tracked the percentage of organizations that achieve PCI DSS compliance...' and 'When the PCI Security Standards Council (SSC) published the PCI DSS in 2004, it was expected that organizations would achieve effective and sustainable compliance within about five years.'
As we now know implementing and maintaining PCI DSS controls is far more complex than first thought; complex payment eco-systems that have evolved over many years with little thought for information security don't lend themselves to quick fixes.
The PSR highlights that PCI compliance rose from a lowly 11.1% in 2012 to a high of 55.4% in 2016, but the upward trend has reversed and had reduced to 36.7% by the end of 2018.
It’s fair to say that most of us have sought ways to reduce our PCI compliance burden over the years or even looked for legitimate ways to ‘stop doing PCI altogether’, or hoped new payment technologies might render card payments, and by default, PCI compliance redundant.
However, let’s be realistic; payments by card are not going to go away any time soon, so it follows that PCI DSS is not going to disappear any time soon. Many very well informed security professionals have declared that 'PCI is dead' or 'PCI will fade and die in the next year' during the twelve years I’ve been engaged in PCI compliance yet PCI DSS is still alive and well and the PCI SSC are currently working flat out on V4.0 which we expect to see in its final form in early 2021 (I'll talk more about PCI DSS V4.0 in another article).
When Visa Europe abolished non-compliance penalties in late 2016 many merchants questioned the necessity and relevance of PCI compliance; the PSR reports that levels of PCI compliance have decreased since 2016 but I don't believe Visa Europe’s policy change was solely responsible.
Visa’s policy change only applies to Visa's European merchants and PCI compliance has always remained Visa’s intent subject to delivering good information security as an enabler of PCI compliance; Visa’s European policy heavily discounts heavier cardholder breach penalties if PCI compliance can be proven at the point of a breach.
The 2016 change in stance on non-compliance penalties may however, have slowed down the attestation of PCI compliance that we see reported by Verizon for a short time; with the pressure off regarding the threat of non-compliance penalties many merchants sensibly took the opportunity to pause and review their PCI compliance programmes, to make sure that PCI was being implemented in a strategically viable way and being driven as part of an holistic information security programme.
Importantly no one stopped their PCI compliance programme and information and data security consistently remains one of the top five Executive Board priorities, including maintaining PCI compliance.
Merchants understand the importance of protecting customer's cardholder data and in turn protecting their own business’ reputations. The advent of GDPR in the same time period meant that many merchants implemented strong privacy and data security controls in parallel with PCI DSS, further strengthening the importance of holistic data governance, information security and privacy, very often using PCI DSS alongside other compatible frameworks to drive suitable security controls.
Significantly the Verizon PSR highlights a ‘control gap’, defined as the number of failed controls divided by the number of controls expected. In further analysis the PSR states that the control gap has decreased by 6.2% to 10.2% and that this translates to ‘just under 90% compliance for most organizations’.
This suggests that whilst organisations aren’t achieving 100% PCI compliance, they may be achieving greater levels of partial compliance, which means that the risk to cardholder data is being significantly reduced. My experience certainly points to this as merchants have focussed on devising information security governance risk and compliance programmes meeting the needs of multiple regulatory, legislative and contractual information security and privacy requirements (ie. GDPR, PCI DSS, PDS2), and far from slowing down PCI compliance efforts, I believe partial PCI compliance has actually risen.
The Verizon PSR does not give any insight as to how merchants are structuring their PCI compliance programmes; in my experience the most effective approach is to manage PCI compliance by payment channel, and merchants taking this approach have mostly prioritised the riskiest channels, driven significant risk reduction and increased overall levels of PCI compliance even if they have not yet had every payment channel attested as PCI compliant.
So long as partial PCI compliance is rising, and Verizon’s control gap is decreasing, then it may be okay that levels of attested overall PCI compliance are falling, so long as the end goal still remains achieving and maintaining 100% PCI compliance, as a by-product of good information security best practice.
Other factors mentioned by the Verizon PSR includes ‘changes in personnel and mergers can throw a proverbial wrench into the works…. Changes in the operating environment can also leave the ship adrift without guidance’.
These are real issues for most merchants; commercial decisions made for the benefit of the organisation’s continued growth, and sometimes survival, may have a detrimental impact on overall PCI compliance in the short term. A merchant who maintains 100% PCI compliance may fall back to a much lower figure if they then acquire another business which is working towards but is not fully PCI compliant at the moment of acquisition.
Operating environments may have to be changed for sound commercial reasons but may not be able to be fully PCI compliant at the outset, and again become part of the ongoing PCI compliant journey, reducing risk first and foremost, implementing best practice holistic information security and then almost by default, 100% PCI compliance.
I see many merchants going through cycles of organisational re-structure, to remain competitive and relevant to their customers and to survive in a harsh and uncertain economic environment, with inevitably disruption to personnel delivering PCI compliance and in turn disruption to the maintenance of compliance.
All of these factors can have a direct impact on an organisation’s ability to maintain PCI compliance successfully each year when re-attestation of a previously certified compliant payment channel becomes due.
The Verizon PSR provides insight into cardholder data breaches as well and states ‘we can definitively state we have never reviewed an environment or investigated a PCI data breach involving an affected entity that was truly PCI DSS compliant—even if it had a signed Attestation of Compliance (AOC)’ and goes on to analyse the impact of specific PCI requirements not achieved on cardholder data breaches.
This implies that the best way to avoid a cardholder data breach is to maintain 100% PCI compliance as your best defence, adding more weight to the debate that compliance with the most recent PCI DSS is still necessary and relevant.
So let me summarise; even though this article has only scratched the surface to answer the questions I sought to explore, I don’t think that anything has gone fundamentally wrong with levels of PCI compliance; the PSR headline statistics reflect that compliance reporting is still very binary and doesn’t account for what I believe are actually increased levels of partial PCI compliance at payment channel level.
So putting my head above the parapet, I believe that PCI compliance is most definitely still necessary and relevant if you want to proactively protect your customer’s cardholder data, and your organisation's reputation, and the framework of PCI DSS can also provide structure to your overall information security posture, in combination with other privacy and information control models.
Please feel free to debate any of the topics or opinions I have covered above.
If any of the topics discussed in this article affect you, I’d love to hear from you; if we can help you with any of these topics within your own organisation we’d love to talk to you.
If you’d like us to get in touch please write to me directly at firstname.lastname@example.org with COFFEE&PCI in the email title and I’ll prioritise getting back to you for a no fee conversation.
Thank you for taking the time to read this article.