By Gabriel Leperlier, Senior Manager Security Consulting EMEA at Verizon Enterprise Solutions
When companies are attacked, personal and financial customer information from payment card data is often the target. The Payment Card Industry Data Security Standard (PCI DSS) was designed to help protect payment data from the point of purchase and beyond. Surprisingly Verizon has seen compliance to this standard decline over recent years. Verizon’s 2019 Payment Security Report digs deeper to see why this happening and more importantly with the latest version of the PCI DSS standard 4.0 launching soon, how businesses can turn this trend around by rethinking how they implement and structure their compliance programs.
When Visa Inc. initially launched the PCI DSS in 2004, many assumed that organizations would achieve effective and sustainable compliance within five years. Now, 15 years on, the number of businesses achieving and maintaining compliance has dropped from 52.5 percent (2018 PSR) to a low of just 36.7 percent worldwide. Geographically, organizations in the Asia-Pacific (APAC) region show a stronger ability to maintain full compliance at 69.6 percent, compared to 48 percent in Europe, Middle East and Africa (EMEA) and just 20.4 percent (1 in 5) in the Americas.
Putting the business sectors under the microscope
By examining key industry sectors we can see that they not only differ in their compliance ratings but also in how they fall short of full compliance, requiring industry specific re-alignment in order to increase their rankings.
Retail – Four years ago, retail data was most often compromised at the point of sale. Since that time, Europay, Mastercard and Visa (EMV) technology was introduced in the United States and since has appeared to have reduced the value proposition of card-present fraud, and our research shows that data breaches are primarily occurring through web applications. However, security breaches haven’t been entirely eliminated. Retailers must still remain vigilant about protecting card data. The compliance rate within retail organisations ranked at 26.3 percent, in line with IT services. Where they fell short in meeting PCI DSS requirements was in using too many vendor-supplied defaults across in-scope components (Requirement 2) and importantly in complying with the requirement to have good security management (Requirement 12). This was also reflected by retail scoring the lowest of all industries studied in data breach incident preparedness, struggling with identifying users and ensuring that they had the right level of privileges; following due diligence when engaging service providers; detecting unauthorized wireless access points and maintaining an incident response (IR) plan.
Hospitality – While hospitality still had the lowest score for encrypting data in transit (PCI DSS Requirement 4), it was the only industry that improved in this category from the previous year. Hospitality also improved at protecting against malicious software (Requirement 5). It showed the most improvement of any industry in meeting this requirement, increasing its compliance to 84.2 percent. Hospitality was the only sector we studied in the 2019 PSR that improved its ability to control physical access (Requirement 9) from the previous year, increasing its compliance score to 63.2 percent. While hospitality lagged behind other industries at protecting stored cardholder data (Requirement 3), it also had some unique challenges to overcome, including a lack of mature solutions designed for hospitality environments. Hospitality struggled most with user identification and authentication, reviewing and testing the incident response plan, and training on breach responsibilities.
Finance – The financial services industry is facing a rapidly changing landscape. Customers are demanding new ways to engage and conduct personalized transactions—particularly over mobile devices. Meanwhile, the industry continues to see entrants from other industries offer financial products. In this competitive and highly regulated environment, the ability to protect payment card data can be a crucial differentiator. Customers have high expectations that financial service providers understand the need for payment security better than other kinds of businesses. According to our PSR data the financial services industry did better than any other industry on PCI DSS requirements however they can do a better job of encrypting data in transit (Requirement 4) as well as protecting against malicious software (Requirement 5).
New Verizon framework to help businesses navigate payment security compliance
Many organizations spend a lot of time and money creating data protection compliance programs, but often these are ineffective — looking good on paper but not able to withstand the scrutiny of a professional security assessment. We still see Chief Information Security Officers focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes.
Data protection and compliance present daily challenges. Many organizations believe they can use a one-size-fits-all script to achieve effective and sustainable data protection. However, in the real world, security is more complicated.
In previous Payment Security Reports, we developed methodology to help organizations manage their Data Protection Compliance Programs (DPCPs). These have now been combined to form the Verizon 9-5-4 Compliance Program Performance Framework — a guideline which helps develop and improve capability and process maturity.
The 9-5-4 Framework is designed to help organizations achieve repeatable, consistent and predictable outcomes by offering guidance on how to map, monitor and report the status of sustainability and effectiveness for each of the 9 Factors of Control Effectiveness and Sustainability — including control environment, control design, control risk, control robustness, control resilience, control lifecycle management, performance management, maturity measurement and self-assessment. This is across each of the essential 4 lines of assurance — individual accountability, risk management and compliance teams, internal audit, external audit and regulators — and is achieved by evaluating the 5 Constraints of Organizational Proficiency — capacity, capability, competence, commitment and communication.
What is clear from our findings in this year’s report is that many organisations still have a way to go to be fully compliant but with the right tools and focus it is possible. Payment security compliance is key.
Data from our Verizon Threat Research Advisory Center (VTRAC) also demonstrates that a compliance program without the proper controls to protect data has a more than 95 percent probability of not being sustainable and is more likely to be a potential target of a cyberattack.
For years, we have discussed the close correlation between the lack of PCI DSS compliance and cyber breaches. There is a no public record of any organization ever experiencing a confirmed payment card data compromise at the time of being compliant with PCI DSS. Compliance works!
CAPITAL MARKETS – LIQUIDITY MANAGEMENT DURING COVID-19
Tony Farnfield, Partner at management and technology consultancy, BearingPoint
When “Dr. Doom” predicted the 2008 financial crisis back in 2006, and spoke of a necessitated market correction and was calling for the repricing of riskier assets; predicting a continuation of a global financial slowdown, or even a global recession starting in 2020, this prediction was based on known factors affecting the global economy. The unforeseen outbreak of Covid-19 and the increased volatility this has brought to global financial markets was not taken into account.
Three months on from the initial outbreak, and we have already witnessed the biggest intraday drop in the Dow Jones Industrial Average. The outbreak, coupled with the oil price shock, triggered responses from the Federal Reserve, the Bank of England and Central Bank of Canada to cut benchmarks rates in an effort to even out the shock to the wider economies.
There is a high degree of uncertainty on how the coronavirus crisis will unfold. We could experience only a temporary disruption – lasting from a few weeks to a few months, or a prolonged stress in markets, assuming that it will be months until vaccine clinical trials begin and with rate cuts (already reaching bottom) having limited effects on the required stimulus.
Banks have undeniably improved their liquidity following regulatory guidance post financial crisis; however, treasury departments will need to prepare and caveat for a wide range of possible outcomes. Traditional stress testing, scenario development and re-calibration have not taken into account conditions such as the ones experienced with the Covid-19 outbreak or the speed with which things evolved.
At a generic level, there are three key steps Treasurer’s should look to take:
- Convert uncertainties into emerging and quantifiable risks
This is already being considered by some of the larger financial institutions under their crisis management responses. However, it’s important to highlight that even for those that have triggered the crisis management process, the forecasting, rebalancing and risk assessment should be continuous, taking into account new developments in the following manner:
Continuously monitor and develop scenarios of potential sources that could disrupt funding and liquidity usage. With the right analytical capability, cash-flow projections should adapt to changing scenarios, including scenarios coming from the different business lines. Scenario sources could include unexpected credit usage that could encourage either large prepayments or defaults, or changing corporate customer behaviour – deposit inflows from corporates and depositors affecting leverage-constrained institutions. Also, there should be some consideration given to the availability of funding sources or, for wholesale funding, acceleration or reduction of funding plans.
Take immediate actions in increasing liquidity and cash holdings in the short term to cover for the uncertainty.
Continuous risk assessment
Account for emerging risks previously not accounted for, such as the temporary closure of operations or reduced capacity of market utilities. Assess those scenarios and how these are captured and factored in stress tests. Intraday liquidity should be the primary focus to understand immediate cash requirements.
- Refine your liquidity risk measurement
Better identification, measurement and analysis of key liquidity drivers should become core for an institution’s ability to effectively manage and mitigate particularly unique risks not previously considered. To do this, Treasurers should consider the frequency of their monitoring, and increase levels to daily stress tests and daily Early Warning Indicator testing to include daily developments.
In-depth analysis of risks
Re-run your liquidity risk identification exercise to understand better your current exposures, especially examining certain instances of this outbreak crisis, e.g. oil-related exposures, airline, marine or supply chain related exposures etc.
Re-calibrate based on new understanding
Re-assess existing scenarios or add new scenarios in covering a range of events and timeframes (e.g. sustained spread of the virus over x months vs limited spread and containment). Revisit your Early Warning Indicators to monitor emerging risks. At a later point, revisit these to assess if market signals existed and if they were picked up by your indicators.
- Review your mitigation plan
Identification, assessment and measurement is only part of the overall response. Stresses or risks that can be crystallised need to be accompanied by mitigative actions, agile and feasible enough under the current market conditions. Contingency funding actions might need to be revisited to determine if additional actions need to be considered.
Revisit and verify the availability of near real time reports, such as positions of securities holdings reports. Such information should be readily available and synthesised in the event that you will need to communicate clear and concise plans to investors, regulators or other market participants in relation to liquidity management strategies to foster confidence in the market.
In summary, reviewing and preserving an institution’s liquidity under extreme and volatile circumstances is the core responsibility of any treasurer. However, we know that any scenario or contingency planning is unlikely to be fully predictive of unprecedented scenarios such as this. Re-visiting already set practices and testing their efficacy and completeness should be the first step before considering inserting new scenarios and new actions into the mix. Nothing tried and tested can always remain true.
STOP THE CONFUSION: HOW TO KNOW IF YOUR BUSINESS MAY BE INSURED AGAINST COVID-19
By Alex Balcombe, Partner at Harris Balcombe
The last few weeks has seen businesses in hospitality, tourism, retail, leisure and more forced to close their doors following the Government’s orders that they should close to prevent the spread of coronavirus.
While this is expected to flatten the curve and reduce the number of coronavirus cases, it will of course have an impact on businesses and employees alike. For small businesses especially, there are many concerns about how they can claim on their insurance to weigh the fall of this impact.
In response to calls to help struggling businesses, the Government has informed the public that companies who are facing turmoil will be able to claim on their business interruption insurance during this difficult time. For most, this is wrong.
The insurance industry has also been extremely vocal that there is no cover for any coronavirus-hit businesses during this tough financial period. This isn’t strictly true either.
How can businesses see through the mixed messaging and best secure their future and their livelihoods and reduce money worries? It’s an extremely stressful time for many companies, and confusion over whether or not they can be covered can only cause more unnecessary stress.
Since it’s a new disease, most businesses will not be covered for business interruption due to COVID-19. In fact, the vast majority of policies do not cover anything related to COVID-19.
That said – don’t rule out the idea that you may be covered. There is a chance that you will be covered against COVID-19, but not know it. This is a very small chance, but your current cover may already protect your business against the consequences of coronavirus, and the nationwide response to it – though those with this cover are unlikely to realise it.
How Could I Be Covered?
Not everyone has business interruption insurance, as it’s not a legal requirement. It is entirely up to the policy holder to weigh up the benefits of having it, and their ability to trade should a disaster happen.
To be considered for cover for COVID-19, there are two types of policy extensions to your business interruption cover that can potentially cover you for this situation:
Infectious Disease Extension
Many policies expressly state which diseases fall within the realm of being an infectious or notifiable disease. If this is the case, your policy will not provide cover. As it is a new disease, these policies will not have included COVID-19.
Other infectious disease extension policies will define the disease with reference to the actions of the government. Since the UK Government has named COVID-19 as a notifiable disease throughout the UK, it is possible that your business may fall into this definition, thus meaning you may be able to make a claim.
However, again, it’s not always that simple. Many policies require the disease to have been on your premises, while others specify a radius from your premises in order to qualify.
Denial of Access Extension (non-damage)
Denial of Access Extension (non-damage) policies may cover you if you’re prevented from accessing your property. This could be due to an event, or by the actions of a competent authority, which could cause your business interruption cover to engage.
If covered by this clause, there are often very subtle differences in wording in your policy. This could depend on the insurer or policy. You may well be covered, but it will depend on your particular circumstances, and the specific policy wording.
It’s clear that the Government needs to do more in ensuring there is clear messaging for businesses, and to help the insurance market look after policy holders. This is an unprecedented situation, and with many people looking to claim on their insurance, we’re already seeing major delays which could have a domino impact.
People throughout the world are understandably facing all kinds of worries because of the current pandemic. Our ways of living have changed, and many business owners will not have experienced a situation like this in their life times. If you own a business and are unsure about whether you can claim for business interruption, or are confused about ambiguous wording, get in touch with a loss assessor.
These claims are not simple, but loss assessors will be experts in business interruption insurance, and will specialise in large and complex claims. They will be able to help and guide you along the way, check your wording and work on your behalf to make sure you get everything you are entitled to.
CAPITAL MARKETS – LIQUIDITY MANAGEMENT DURING COVID-19
Tony Farnfield, Partner at management and technology consultancy, BearingPoint When “Dr. Doom” predicted the 2008 financial crisis back in...
SONY BANK SECURES AND ENHANCES MOBILE BANKING WITH ONESPAN’S MOBILE SECURITY SUITE
App shielding, biometric authentication and additional technologies secure and improve the customer experience for Sony Bank’s mobile banking app ...
KOREA’S KB BANK USES TRUSTONIC IN-APP PROTECTION TO ENHANCE MOBILE BANKING EXPERIENCE
Using Trustonic Application Protection enables KB Bank to dramatically improve the authentication experience for users of its mobile banking app...
CUSTOMER CARE TODAY WILL BUILD RESILIENCE FOR FUTURE CRISES
Cathal McGloin, CEO of ServisBOT writes, “The COVID-19 pandemic has created major spikes in calls to financial sector helplines dealing with customers...
THE CO-BRAND CREDIT CARD MARKET – SINK OR SWIM
By Chris Vinnicombe, VP Financial Services at Acxiom The co-brand credit card market is the result of the partnerships between...
HOW TO MANAGE YOUR CASH FLOW IN UNCERTAIN TIMES
While the world is constantly changing, probably at a faster pace now than ever before, businesses need to manage cash...
NEW IVALUA STUDY SHOWS TECHNOLOGY CHALLENGES ARE HINDERING PROCUREMENT TEAMS FROM ACHIEVING BUSINESS OBJECTIVES
Lack of system integrations and actionable insights are stopping organisations from accurately measuring performance Ivalua, a leading provider of global...
WHY DIGITAL TRANSFORMATION IN FINANCIAL SERVICES IS ABOUT CULTURE FIRST, TECH SECOND
Stuart Templeton, Head of UK at Slack In today’s world, there’s no such thing as a ‘non-tech fin’. Every...
STOP THE CONFUSION: HOW TO KNOW IF YOUR BUSINESS MAY BE INSURED AGAINST COVID-19
By Alex Balcombe, Partner at Harris Balcombe The last few weeks has seen businesses in hospitality, tourism, retail, leisure...
BRAVE NEW WORLD: A FUTURISTIC VISION OF PAYMENTS
James Booth, VP, Head of Partnerships in EMEA for PPRO Over the last ten years, the retail e-commerce ecosystem...
A PROPTECH FOUNDER’S BEGINNING, THE START OF KLEVIO AND HOW ACCESS-TECH IMPROVES FACILITIES MANAGEMENT
An interview with Klevio’s CEO and Co-Founder, Aleš Špetič What is Klevio? Klevio is a smart intercom that allows...
HERE’S HOW YOU CAN LEARN TO TRADE RISK-FREE DURING THE COVID-19 MARKET CRASH
Trading app BullBear has launched new features to support budding investors looking to hone their skills against the backdrop of...
ENTERPRISE BLOCKCHAIN: DRAGGING INSURANCE OUT OF THE DARK AGES
Ryan Rugg, Global Head of The Industry Business Unit at R3 The history of insurance traces back to the development...
DISPELLING BIOMETRIC MYTHS AND MISCONCEPTIONS
By Lina Andolf-Orup, Head of Marketing at Fingerprints Gangsters cutting off enemies’ fingers to access secret locations and spies lifting...
FUTURE FX PROMO
FOUR WAYS OPEN BANKING AND AI WILL REVOLUTIONISE ACCOUNTANCY
Ed Molyneux, CEO and co-founder of cloud accounting software company, FreeAgent It’s been just over two years since the...
HOW FINANCIAL SERVICES CAN GET TO GRIPS WITH RISING SUPPLY CHAIN RISK
By Alex Saric, smart procurement expert, Ivalua UK businesses have never been more dependent on their suppliers to help...
TWO TO TANGO? MARKET DATA AND OPINIONS IN INVESTMENT MANAGEMENT
Sebastien Lleo is Associate Professor of Finance at NEOMA Business School (France) Analyst views and expert opinions matter. They...
AN ULTIMATE GUIDE TO TURNING YOUR EARLY RETIREMENT DREAM INTO A REALITY
Rick Pendykoski is the owner of Self Directed Retirement Plans LLC, a retirement planning firm based in Goodyear, AZ. ...