Connect with us

Business

WHY IS PAYMENT SECURITY COMPLIANCE DECLINING WITH ONLY 1 IN 3 COMPANIES GLOBALLY MAKING THE GRADE?

Published

on

By Gabriel Leperlier, Senior Manager Security Consulting EMEA at Verizon Enterprise Solutions

 

When companies are attacked, personal and financial customer information from payment card data is often the target. The Payment Card Industry Data Security Standard (PCI DSS) was designed to help protect payment data from the point of purchase and beyond. Surprisingly Verizon has seen compliance to this standard decline over recent years.  Verizon’s 2019 Payment Security Report digs deeper to see why this happening and more importantly with the latest version of the PCI DSS standard 4.0 launching soon, how businesses can turn this trend around by rethinking how they implement and structure their compliance programs.

When Visa Inc. initially launched the PCI DSS in 2004, many assumed that organizations would achieve effective and sustainable compliance within five years. Now, 15 years on, the number of businesses achieving and maintaining compliance has dropped from 52.5 percent (2018 PSR) to a low of just 36.7 percent worldwide. Geographically, organizations in the Asia-Pacific (APAC) region show a stronger ability to maintain full compliance at 69.6 percent, compared to 48 percent in Europe, Middle East and Africa (EMEA) and just 20.4 percent (1 in 5) in the Americas.

 

Putting the business sectors under the microscope 

By examining key industry sectors we can see that they not only differ in their compliance ratings but also in how they fall short of full compliance, requiring industry specific re-alignment in order to increase their rankings.

Retail – Four years ago, retail data was most often compromised at the point of sale. Since that time, Europay, Mastercard and Visa (EMV) technology was introduced in the United States and since has appeared to have reduced the value proposition of card-present fraud, and our research shows that data breaches are primarily occurring through web applications. However, security breaches haven’t been entirely eliminated. Retailers must still remain vigilant about protecting card data. The compliance rate within retail organisations ranked at 26.3 percent, in line with IT services. Where they fell short in meeting PCI DSS requirements was in using too many vendor-supplied defaults across in-scope components (Requirement 2) and importantly in complying with the requirement to have good security management (Requirement 12). This was also reflected by retail scoring the lowest of all industries studied in data breach incident preparedness, struggling with identifying users and ensuring that they had the right level of privileges; following due diligence when engaging service providers; detecting unauthorized wireless access points and maintaining an incident response (IR) plan.

Hospitality – While hospitality still had the lowest score for encrypting data in transit (PCI DSS Requirement 4), it was the only industry that improved in this category from the previous year. Hospitality also improved at protecting against malicious software (Requirement 5). It showed the most improvement of any industry in meeting this requirement, increasing its compliance to 84.2 percent. Hospitality was the only sector we studied in the 2019 PSR that improved its ability to control physical access (Requirement 9) from the previous year, increasing its compliance score to 63.2 percent.  While hospitality lagged behind other industries at protecting stored cardholder data (Requirement 3), it also had some unique challenges to overcome, including a lack of mature solutions designed for hospitality environments. Hospitality struggled most with user identification and authentication, reviewing and testing the incident response plan, and training on breach responsibilities.

Finance – The financial services industry is facing a rapidly changing landscape. Customers are demanding new ways to engage and conduct personalized transactions—particularly over mobile devices. Meanwhile, the industry continues to see entrants from other industries offer financial products. In this competitive and highly regulated environment, the ability to protect payment card data can be a crucial differentiator. Customers have high expectations that financial service providers understand the need for payment security better than other kinds of businesses. According to our PSR data the financial services industry did better than any other industry on PCI DSS requirements however they can do a better job of encrypting data in transit (Requirement 4) as well as protecting against malicious software (Requirement 5).

 

New Verizon framework to help businesses navigate payment security compliance

Many organizations spend a lot of time and money creating data protection compliance programs, but often these are ineffective — looking good on paper but not able to withstand the scrutiny of a professional security assessment. We still see Chief Information Security Officers focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes.

Data protection and compliance present daily challenges. Many organizations believe they can use a one-size-fits-all script to achieve effective and sustainable data protection. However, in the real world, security is more complicated.

In previous Payment Security Reports, we developed methodology to help organizations manage their Data Protection Compliance Programs (DPCPs). These have now been combined to form the Verizon 9-5-4 Compliance Program Performance Framework — a guideline which helps develop and improve capability and process maturity.

The 9-5-4 Framework is designed to help organizations achieve repeatable, consistent and predictable outcomes by offering guidance on how to map, monitor and report the status of sustainability and effectiveness for each of the 9 Factors of Control Effectiveness and Sustainability — including control environment, control design, control risk, control robustness, control resilience, control lifecycle management, performance management, maturity measurement and self-assessment. This is across each of the essential 4 lines of assurance — individual accountability, risk management and compliance teams, internal audit, external audit and regulators — and is achieved by evaluating the 5 Constraints of Organizational Proficiency  — capacity, capability, competence, commitment and communication.

What is clear from our findings in this year’s report is that many organisations still have a way to go to be fully compliant but with the right tools and focus it is possible. Payment security compliance is key.

Data from our Verizon Threat Research Advisory Center (VTRAC) also demonstrates that a compliance program without the proper controls to protect data has a more than 95 percent probability of not being sustainable and is more likely to be a potential target of a cyberattack.

For years, we have discussed the close correlation between the lack of PCI DSS compliance and cyber breaches.  There is a no public record of any organization ever experiencing a confirmed payment card data compromise at the time of being compliant with PCI DSS. Compliance works!

 

Business

Mitigating the insurance risks of climate change through geospatial data visualisation

Published

on

By

Richard Toomey, Senior Manager, Commercial Insurance at LexisNexis Risk Solutions UK and Ireland

 

In the lead up to the 26th United Nations Climate Change Conference of the Parties (COP26)[i] November 2021, A United in Science report[ii]  provided a stark warning of the impact and acceleration of climate change. The UK Environment Agency also warned of more extreme weather leading to increased flooding and drought[iii]. While some progress was made at the conference, understanding the changing risks created by extreme weather to price property insurance more effectively, and more importantly, to help mitigate the physical risks posed by climate change, has become imperative.

Mapped geospatial data intelligence including live data on flood warnings and river flows, viewed alongside data held by insurance providers on the properties in their portfolio, can be a key ally in helping to protect customers and reduce claims losses created by extreme weather events.

With the air temperature rising and heavy rain becoming more and more frequent due to climate change insurance providers are looking to identify properties that are more at risk than others. For example, properties with basements carry more of a substantial risk of surface water claims than others and especially in London where space is tight and water runoff is low. In the autumn of 2021, the industry saw a number of high value claims due to basement flooding. There are some really large high net worth (HNW) households with big basements which carry a significant insurance risk.  The problem is that in many cases insurance providers don’t know if they have a property ‘on cover’ that actually has a basement.

The huge and growing volume of data now available to the insurance market to assess property risk to the level the industry needs, could easily overwhelm and prove a barrier to the swift decisions needed in weather-related surge events. However, the evolution of desktop based geospatial data visualisation tools such as LexisNexis® Map View means insurance providers can make quick, informed decisions based on a picture or map of risk, looking at a specific geographical region, a postcode, an address or a single property outline.

They can look at environmental risks including flood, fire and subsidence and live flood data updated every 15 minutes direct from the Environment Agency, as well as highly predictive flood risk data from respected flood modelling organisations. Insurance providers can also bring in data on the characteristics of a property to understand more about its construction, including the type of roof it has, how many floors there are, the square footage, as well as further data on the location and the individuals behind a business to gain a more holistic understanding of risk for pricing.

Mapping of historical flood data brings a further dimension to the understanding of risk, revealing the maximum extent of all individually recorded flood outlines from rivers, the sea and groundwater springs in England and Wales. This takes into account the presence of defences, structures, and other infrastructure where they existed at the time of flooding and includes floods where overtopping, such as at seawalls, river breaches or blockages may have occurred.

But the real step-change for the market has been recent ability to view live flood and other environmental data in tandem with customer and policy data held within an insurance providers’ own databases.

Crucially, this means insurance providers can pinpoint down to individual properties, the policyholders most at risk as weather events unfold, should a river burst its banks, or a flood barrier fail and those properties that may actually be vacant at the time of the event.

Through data visualisation tools, insurance providers can gauge where flood water may go so that policyholders can be warned to take measures to protect themselves, their possessions and to move any vehicles to higher ground. They can even see where roads may have been closed due to fallen trees. All this intelligence helps with planning on the ground resources, working with local authorities and claims adjusters. Then, in the immediate aftermath, rather than wait for a deluge of claims, insurance providers are in a position to reach out to customers known to be in areas affected to support them through the claims process.

The inherent flexibility of today’s geospatial data visualisation tools for the insurance market means risk can be assessed as needed or as constant monitor for a whole commercial property portfolio. Fundamentally these tools are designed to streamline the assessment of property risk.

In the future, commercial and residential property claims data gathered from the whole of the market may allow insurance providers to look at a whole portfolio alongside past claims, but for now they can bring in their own claims data to build a more granular picture of risk, to price more accurately and understand how they could help mitigate future claims and potential losses caused by weather events.

A picture can say a thousand words and data visualisation tools can certainly make highly complex risk data easy to understand and act upon. Being able to instantly visualise an environmental risk to policyholders – day or night – using highly granular data on past and present flood events puts insurance providers in a more powerful position to reduce the misery and costs caused by extreme weather.

[i] https://ukcop26. org/wp-content/uploads/2021/07/COP26-Explained. pdf

[ii] https://public. wmo. int/en/media/press-release/climate-change-and-impacts-accelerate

[iii] https://www. gov. uk/government/news/adapt-or-die-says-environment-agency – The Environment Agency’s third adaptation report October 2021

 

Continue Reading

Business

What should you be know about PAN data in PCI DSS?

Published

on

By

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec

 

Introduction

PAN Number or Primary Account Number as we call it is a very sensitive data often used when making online payments or transactions. Customers often share this data with merchants from whom they purchase products or services online. However, customers do expect the merchants and financial institutes to protect the data and prevent incidents of threat. Storing the PAN data for most merchants is a necessity as they may have a legitimate business reason to store cardholder data. But storing PAN data has its share of risk on a business’s network security. Over the years businesses have been storing this data on their server for easy and quick access without realizing the risk it holds and the impact it may have on business.

In fact, most of the data breach incidents that have occurred over the years are due to the storage of unencrypted PAN data on the merchant’s/Service Provider’s servers. While the PCI Council clearly states not to store PAN data yet most merchants for increased consumer convenience store PAN data on their network. Storing customer’s PAN data increases the security risk and, also increases the scope of PCI compliance. So, unless businesses have a legit commercial reason to store PAN data, should not store it. Covering more on this in detail we have today shared details about PAN data and PCI DSS that businesses must know to ensure compliance. So, before getting straight to it let us understand the term PAN Data.

 

What is PAN Data?

PAN Data is basically the 15 or 16 digit numbers on the front of your debit/credit card which is also known as the Primary Account Number. They are also called payment card numbers and are often found on payment cards like credit and debit cards. The PAN account number is printed or embossed on the front of this payment card. The PAN number is issued by customers to merchants at the Point of Sale (POS) that identifies the issuer and the cardholder account while making payments. Customers when making an online purchase share the PAN number to make payments online. These PAN details are used by the merchants to process the payments online.

 

How does PAN Impact PCI DSS Compliance?

Payment Card Industry Data Security Standard clearly states that merchants dealing with online payments or accepting credit/debit card payments must avoid storing sensitive PAN numbers. The PCI DSS Requirement 3 addresses the protection of stored cardholder data. So, considering the storage of PAN data will automatically increase the scope of PCI DSS Compliance for the merchants. This way merchants will have to take additional measures for securing the stored PAN data in the network.

Storing unencrypted PAN data on the network will increase the potential risk of breach and end up having a significant impact on business. It is therefore necessary to secure PAN Data in form of encryption or other techniques as suggested in PCI DSS requirements. Explaining the requirement we have shared the PCI DSS data storage requirements in detail.

 

PAN Data storage in PCI DSS

Merchants may at times for commercial purposes may have to store PAN Data in their server. For these reasons, they will have to take extra precautions and implement additional measures to ensure the security of data and compliance with PCI DSS. The PCI Council outlines the requirement of encryption of cardholder data stored with the merchant. However, it is important to note that not all elements of cardholder need to be encrypted when stored on the server. It is only the PAN data that needs to be encrypted, the rest of the Sensitive Authentication Data (SAD) such as Stripe Data, are not allowed to be even stored by merchants.

What is more important to know and understand about PAN Data storage is that the only times that PAN is not considered to be cardholder data would be when details such as the the cardholder’s name and/or expiry date are not mentioned.  But this does not really happen and so merchants will have to implement measures to secure PAN data. Merchants must equip their data network to deal with PAN securely especially when it is transmitted at the POS.

Moreover, PCI DSS requirement 3.4 states that all merchants must use one of the following techniques to render PAN unreadable. This requirement applies when the PAN Data is stored or when the data is at rest anywhere including portable digital media, backup media, and logs. The techniques of rendering the PAN data unreadable includes

  • Strong cryptography of the PAN
  • PAN truncation (removal of the middle digits),
  • Index tokens and pads
  • Key-management processes

PCI DSS requirement 3.3 specifically requires the PAN data to be masked whenever on display. So, this way, the only digits of the PAN that may be visible are the first six and last four digits. With this only authorized businesses with legitimate commercial needs can see the rest of the information.

 

Final Thought

Despite all the clarity given in terms of the possible threat with storing PAN data nearly 65% of the merchants continue to store unencrypted PAN data on their servers and network. Further, what adds to the problem is that merchants are not able to handle and appropriately secure these stored PAN and cardholder data. Understanding the importance of PAN data and securing them is crucial. This is to prevent incidents of breach and theft. So, the only possible way to prevent this is by implementing measures of defense for handling such sensitive data. Ensuring that the PAN is  protected using one-way hashing or truncation methodologies is one way of assuring the customer’s security of the cardholder data. This way it would also help businesses ensure maintaining PCI DSS Compliance and securing sensitive data.

Continue Reading

Magazine

Trending

Business7 hours ago

Mitigating the insurance risks of climate change through geospatial data visualisation

Richard Toomey, Senior Manager, Commercial Insurance at LexisNexis Risk Solutions UK and Ireland   In the lead up to the...

Top 107 hours ago

From compliance to the metaverse: Investment trends to look out for during the year ahead

By Rami Cassis, Founder and CEO of Parabellum Investments   In the investment world, the old saying, knowledge is power,...

News8 hours ago

NutreeLife triples production with finance from Siemens Financial Services

Plant-based snack manufacturer NutreeLife has massively increased its production capacity with the help of a hire purchase solution from Siemens...

News1 day ago

HYDR DEVELOPS INVOICE FINANCE PLATFORM TO INTEGRATE WITH MAJOR CLOUD ACCOUNTING SOFTWARE PROVIDERS

MANCHESTER – UK – 17th January 2022 – Fintech start-up, Hydr has developed its proprietary invoice finance platform to integrate...

Business1 day ago

What should you be know about PAN data in PCI DSS?

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec   Introduction PAN...

Finance2 days ago

GET READY FOR A LARGER-THAN-EXPECTED INTEREST RATE SPIKE IN 2022

By Nicholas Sargen As investors assess what is in store for 2022, they should not lose sight of what has transpired...

Banking2 days ago

MYTH BUSTING THE ROLE OF OPEN SOURCE IN FINANCIAL SERVICES

Nigel Abbott, Regional Director North EMEA, GitHub   There is no denying the financial services (FS) industry is under pressure to...

Business2 days ago

How Crypto Traders Can Avoid Unexpected Expenses

Have you been dabbling in cryptocurrency in 2021? Are you still relatively new to the world of crypto and feeling...

Finance2 days ago

Looking Ahead: 2022 Fintech Predictions and Reflections

Will Marwick, CEO of IFX Payments   2021 was the year of recovery and opportunity for many, following months of...

Business2 days ago

A systematic approach to stock selection finnCap’s Slide Rule

Raymond Greaves, Head of Research at finnCap   As an engineer by background, I love data and using it to...

News2 days ago

The UK’s Crypto and Digital Assets Group will be welcomed, but it needs to reach out to the industry

by Jennifer Clarke of regtech CUBE   The advent of the Crypto and Digital Assets Group will be welcomed with...

Finance2 days ago

EMBEDDED FINANCE EXPERIENCES, THE BIG MOVE IN 2022

By Louisa Murray, Chief Operating Officer UK & Europe at Railsbank Over the past year, we have seen some fundamental...

News2 days ago

FINANCIAL SERVICES INDUSTRY CRIPPLED BY RAPID RATE OF DIGITAL TRANSFORMATION

Latest findings from ITRS Group highlight urgent need for investment in strong operational resilience in post-pandemic landscape   A new...

Business7 days ago

SMART WEARABLES IN HEALTH TECHNOLOGY

Gavin Bashar, UK managing director at Tunstall Healthcare, discusses smart wearables in health and social care, the benefits, and what...

Finance1 week ago

THREE REASONS TO BE OPTIMISTIC ABOUT FINTECH IN 2022

by Stephen Lemon, Co-Founder and Vice President, Strategic Partnerships & Corporate Development at Currencycloud   It’s become cliched to point out...

Finance1 week ago

FINANCIAL SERVICES – KEY TRENDS FOR 2022

By Jason Aird, Partner, Airwalk Reply   For financial service organisations, the COVID-19 pandemic has led to a company-wide shift...

Top 101 week ago

HOW THE SECOND WAVE OF EMBEDDED LENDING WILL SHAPE 2022

Fuelled by the power of embedded finance, embedded lending is pushing the boundaries of SME funding to new frontiers. Mikkel Velin,...

Top 101 week ago

A CHANGE FOR NOW AND THE FUTURE – WHY THERE’S NO NEED TO LOOK BACK

Warwick Haycock, Accounting Software Specialist at The Access Group     Since March 2020, many organisations have dramatically changed the...

Banking1 week ago

2022: THE YEAR THAT BANKS FINALLY CHANGE FOR GOOD?

Toine van Beusekom, Strategy Director, Icon Solutions   The more things change, the more they stay the same. Looking back...

Finance1 week ago

TRENDS IN FINTECH IN 2022: FROM ARTIFICIAL INTELLIGENCE TO FINANCIAL WELLNESS

By Jayne Zhang, Lead Digital Transformation and Commercialisation consultant, FPT Software   The financial services industry has been pivoting towards...

Trending