The report, which has been an annual affair since 2010, comes at a time when the EU is looking to bring in data breach regulations. Australia is also looking to introduce similar laws in February 2018.
The EU General Data Protection Regulation includes provision for fines for failing to protect personal information — which includes payment card data — of up to €20 million or 4% of turnover, whichever is greater. Australia's laws will levy fines on organisations that have turnover of more than A$3 million.
The survey found that only 9% of organisations where card security had been breached were able to provide evidence of fully conforming to the PCI DSS regulations.
The key requirements for a security set-up are:
- Install and maintain a firewall configuration;
- Do not use vendor-supplied defaults;
- Protect stored cardholder data;
- Protect data in transit;
- Protect against malicious software;
- Develop and maintain secure systems;
- Restrict access;
- Authenticate access;
- Control physical access;
- Track and monitor access;
- Test security systems and processes; and
- Maintain information security policy.
Verizon said that of the nearly 300 card data breaches it had investigated between 2010 and 2016, all took place at organisations that were not compliant with the PCI DSS requirements.
The report was based on data sourced from Verizon’s team of PCI qualified security assessors, who have done more than 5000 assessments at more than 500 organisations, including government agencies.
A lack of qualified personnel was found to be hampering the implementation of these regulations. Additionally it was found that having a single powerful control, such as strong authentication, in place could cut attacks by as much as four-fifths.
Ashish Thapar, managing principal – Investigative Response, and Ferdie Delos Santos, senior manager – Security Assurance APAC, Verizon, discussed the report with iTWire during a phone call on Wednesday.
iTWire sought detail on how many organisations or companies were examined for the 2017 report, but this was not forthcoming.
Both Thapar and Delos Santos agreed that the question of operating platform security should be included in the report. There is no mention in the 2017 version of how much security is affected by the underlying operating system that runs payment devices like point-of-sale machines or ATMs.
They also agreed that the presence of patched systems was no indicator of overall security though this could make a contribution to lessening the possibility of a card data breach.
While the 2017 report found that the percentage of organisations that were becoming compliant had increased, it also found that the control gap — the average percentage of controls that companies failing an audit did not have in place — had widened.
In 2015, this figure was 12.4% of controls among failed companies, while the 2016 percentage was 13%.
Globally, the best level of compliance was found in the IT services industry where 61.3% achieved full compliance followed by financial services (59.1%), hospitality (50%) and retail (42.9%).
The report can be downloaded here after registration.