Even though COVID-19 has brought its fair share of limelight on cybersecurity, cardholder payment data continues to be far from secure. According to new research by Verizon, only one in four organizations keep cardholder payment data secure. This is even after the fact that cardholder payment data is among the hot favorite for cybercriminals, with 9 out of 10 data breaches being financially motivated. In fact, 99% of security incidents analyzed by the recent 2020 Data Breach Investigation Report were focused on acquiring payment data for criminal use.
The Verizon Business 2020 Payment Security Report pointed out that a lack of long-term payment security strategy and execution is among the key reasons why payment data is handled so precariously. Several companies are struggling to retain qualified CISOs or security managers, and this is another reason for this alarming trend that puts a dent on sustained compliance within the Payment Card Industry Data Security Standard (PCI DSS).
The report highlighted that only 27.9% of global organizations maintained full compliance with PCI DSS. Even here there has been a decline in compliance with a 27.5%-point drop since compliance peaked in 2016.
“Unfortunately, we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable,” said Sampath Sowmyanarayan, President, Global Enterprise, Verizon Business. “The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information. Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.”
The report also underscored that even security testing has taken a backseat for several companies where just a little over half the surveyed organizations successfully test security systems and processes as well as unmonitored system access. Here, only two-thirds of all businesses track and monitor access to business-critical systems adequately, while only 7 out of 10 financial institutions (70.6%) maintain essential perimeter security controls.
“This report is a welcome wake-up call to organizations that strong leadership is required to address failures to adequately manage payment security,” said Maxine Holt, Senior Research Director at Omdia.
