Security Market Segment LS
Thursday, 31 August 2017 15:08

Verizon report finds vendors lagging on card payment security


A report on card payment security issued by the US company Verizon has revealed that almost half the organisations surveyed for the 2017 report were not compliant with all the regulations laid down for secure transactions.

The report, which has been an annual affair since 2010, comes at a time when the EU is looking to bring in data breach regulations. Australia is also looking to introduce similar laws in February 2018.

The EU General Data Protection Regulation includes provision for fines for failing to protect personal information — which includes payment card data — of up to €20 million or 4% of turnover, whichever is greater. Australia's laws will levy fines on organisations that have turnover of more than A$3 million.

The survey found that only 9% of organisations where card security had been breached were able to provide evidence of fully conforming to the PCI DSS regulations.

The payment card industry data security standard, or PCI DSS, is an information security standard set up by the major card brands for organisations that handle these cards.

payment card security

The key requirements for a security set-up are:

  • Install and maintain a firewall configuration;
  • Do not use vendor-supplied defaults;
  • Protect stored cardholder data;
  • Protect data in transit;
  • Protect against malicious software;
  • Develop and maintain secure systems;
  • Restrict access;
  • Authenticate access;
  • Control physical access;
  • Track and monitor access;
  • Test security systems and processes; and
  • Maintain information security policy.

Verizon said that of the nearly 300 card data breaches it had investigated between 2010 and 2016, all took place at organisations that were not compliant with the PCI DSS requirements.

The report was based on data sourced from Verizon’s team of PCI qualified security assessors, who have done more than 5000 assessments at more than 500 organisations, including government agencies.

A lack of qualified personnel was found to be hampering the implementation of these regulations. Additionally it was found that having a single powerful control, such as strong authentication, in place could cut attacks by as much as four-fifths.

Ashish Thapar, managing principal – Investigative Response, and Ferdie Delos Santos, senior manager – Security Assurance APAC, Verizon, discussed the report with iTWire during a phone call on Wednesday.

iTWire sought detail on how many organisations or companies were examined for the 2017 report, but this was not forthcoming.

Both Thapar and Delos Santos agreed that the question of operating platform security should be included in the report. There is no mention in the 2017 version of how much security is affected by the underlying operating system that runs payment devices like point-of-sale machines or ATMs.

They also agreed that the presence of patched systems was no indicator of overall security though this could make a contribution to lessening the possibility of a card data breach.

While the 2017 report found that the percentage of organisations that were becoming compliant had increased, it also found that the control gap — the average percentage of controls that companies failing an audit did not have in place — had widened.

In 2015, this figure was 12.4% of controls among failed companies, while the 2016 percentage was 13%.

Globally, the best level of compliance was found in the IT services industry where 61.3% achieved full compliance followed by financial services (59.1%), hospitality (50%) and retail (42.9%).

The report can be downloaded here after registration.

Subscribe to Newsletter here

WEBINAR INVITE: Exploring Emerging Strategies for 5G Monetization

Network Operators continue to invest in 5G and build out their infrastructure.

With the recent impact of world events, the pressure is on to explore additional ways beyond traditional subscription models to monetize existing investments and speed up returns.

Creative thinking is key in this space, and in this webinar, you will learn about innovative ideas for Network Operators and Enterprise Business to enable new services and opportunities to drive incremental revenue.

Join us for this thought-provoking webinar with ITR Analyst, Marc Einstein, where you will learn about:

- Key industry 5G trends
- How COVID-19 is driving innovation and potential new business opportunities and applications for 5G

Click below to register your interest for the AUGUST 26, 4PM WEBINAR (AEST)



It's all about Webinars.

These days our customers Advertising & Marketing campaigns are mainly focussed on Webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

For covid-19 assistance we have extended terms, a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.





Guest Opinion

Guest Interviews

Guest Reviews


Guest Research & Case Studies

Channel News