Global organizations continue to put their customers’ cardholder data at risk due to a lack of long term payment security strategy and execution, flags the Verizon report.
With many companies struggling to retain qualified CISOs or security managers, the lack of long-term security thinking is severely impacting sustained compliance within the Payment Card Industry Data Security Standard (PCI DSS).
Cybercriminals still mostly targeting payment data
Payment data remains one of the most sought after and lucrative targets by cybercriminals with 9 out of 10 data breaches being financially motivated, as highlighted by the report. Within the retail sector alone, 99 percent of security incidents were focused on acquiring payment data for criminal use.
On average only 27.9 percent of global organizations maintained full compliance with the PCI DSS, which was developed to help businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data.
More concerning, this is the third successive year that a decline in compliance has occurred with a 27.5 percentage point drop since compliance peaked in 2016.
“Unfortunately we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable,” said Sampath Sowmyanarayan, President, Global Enterprise, Verizon Business.
“The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information.
“Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.”
Few organizations successfully test security systems
Additional findings shine a spotlight on security testing where only 51.9 percent of organizations successfully test security systems and processes as well as unmonitored system access and where approximately two-thirds of all businesses track and monitor access to business critical systems adequately.
In addition, only 70.6 percent of financial institutions maintain essential perimeter security controls.
“This report is a welcome wake-up call to organizations that strong leadership is required to address failures to adequately manage payment security. The Verizon Business report aligns well with Omdia’s view that the alignment of security strategy with organizational strategy is essential for organizations to maintain compliance, in this case with PCI DSS 3.2.1 to provide appropriate levels of payment security.
“It makes clear that long-term data security and compliance combines the responsibilities of a number of roles, including the Chief Information Security Officer, the Chief Risk Officer, and Chief Compliance Officer, which Omdia concurs with,” comments Maxine Holt, senior research director at Omdia.
Difficulty to maintain PCI DSS compliance impacts all businesses
SMBs were flagged as having their own unique struggles with securing payment data. While smaller businesses generally have less card data to process and store than larger businesses, they have fewer resources and smaller budgets for security, impacting the resources available to maintain compliance with PCI DSS.
Often the measures needed to protect sensitive payment card data are perceived as too time-consuming and costly by these smaller organizations, but as the likelihood of a data breach for SMBs remains high it is imperative that PCI DSS compliance is maintained.
The on-going CISO challenge: Security strategy and compliance
The report also explores the challenges CISOs face in designing, implementing and maintaining an effective and sustainable security strategy, and how these can ultimately contribute to the breakdown of compliance and data security management.
These problems were not found to be technological in nature, but as a result of organizational weaknesses which could be resolved by more mature management skills including creating formalized processes; building a business model for security as well as defining a sound security strategy with operating models and frameworks.
Calendars for security and compliance audits are largely unchanged despite COVID-19, yet the pandemic is straining teams as they work remotely, according to Shujinko.
Moreover, CISOs are tasked with preparing for more than three audits on average in the next 6-12 months, but struggle with inadequate tools, limited budgets and personnel, and inefficient manual processes.
Furthermore, the results show that migration to the cloud is dramatically increasing the scope and complexity of audit preparation, obsoleting old methods and approaches.
“This survey clearly shows that CISOs at major companies are caught between a rock and hard place when it comes to security and compliance audits over the second half of 2020 and want automated tools to help dig them out. Unfortunately, they’re simply not able to find them,” said Scott Schwan, Shujinko CEO.
“Teams are cobbling together scripts, shared spreadsheets, ticketing systems and a hodgepodge of other applications to try to manage, resulting in inefficiency, lengthy preparation and limited visibility. More than two-thirds of CISOs are looking for something better.”
CISOs preparing for more than three audits
Despite changes in the economic climate due to COVID-19, CISOs are still tasked with preparing for more than three upcoming compliance audits across multiple security frameworks (e.g., PCI, SOC 2, NIST-CSF, ISO 27001, etc.).
Most common audits are for HITRUST, HIPAA and PCI DSS
51% of CISOs surveyed indicated they are preparing for a HITRUST audit in the next six to twelve months, 45% are preparing for HIPAA, 43% for PCI DSS, 41% for CCPA and 36% for an internal audit. In addition, 77% of companies preparing for SOC-2 audits were software companies.
CISOs are worried about doing more with less
COVID-19 has amplified CISOs’ concerns about doing more with less (both people and budget) with both teams and auditors working remotely. Worries over conflicting priorities, draining available resources and ensuring that evidence is complete round out their top five CISO concerns.
CISOs desperately want more automation
72% of security executives say they want to improve the automation of their audit preparation process, and automation was cited as the number one element most CISOs would change if they could. Team communication and collaboration rounded out the top three most desired improvements.
Two-thirds of CISOs dislike their current tool set
The survey found that CISOs are currently using a mix of home-grown scripts, spreadsheets, ticketing systems, shared documents, Sharepoint and e-mail to prepare for audits. No CISOs reported having a security audit preparation tool that they are completely satisfied with.
CISOs have poor visibility into the audit process
No CISOs rated visibility into key audit preparation steps a complete success and only one rated it a 4 out of 5 – suggesting poor executive line-of-sight into hitting audit deadlines.
Audit processes don’t fit a cloud development model
Only 1 percent of CISOs said that their audit preparation process completely aligns with the speed and agility that is needed for rapid cloud application development and frequent iteration.
Magento 1 reaches EOL: Merchants urged to upgrade or risk breaches, falling out of PCI DSS compliance
When Adobe released security updates for Magento last week, it warned that the Magento 1.x branch is reaching end-of-life (EOL) and support (EOS) on June 30, 2020, and that those were the final security patches available for Magento Commerce 1.14 and Magento Open Source 1.
Unfortunately, there are still too many (over 100,000) active Magento 1.x installations. The company is urging their owners and admins to migrate to Magento 2.x or risk being hit once another critical and easily exploited vulnerability is unearthed and its existence made public.
Magento is a very popular open-source e-commerce platform that powers many online shops, a fact that hasn’t gone unnoticed by cyber criminals.
Nearly four years ago (and possibly even earlier), cyber crooks started concentrating on breaching Magento-based shops and injecting them with scripts that quietly grabbed users’ personal and payment card data information and sent it to a server they controlled.
Since then, the tactic has been used and continues to be used by many cyber criminal groups, which have been classified by security companies as “Magecart” attackers. As they are quick to exploit newfound vulnerabilities in the Magento core and third-party extensions, hardly a day passes without news about another online shop having been compromised.
If you decide to stick with Magento 1
“If you have a store that continues to run on Magento 1 after June 30, please be aware that from that date forward you have increased responsibility for maintaining your site’s security and PCI DSS compliance,” Adobe warned.
Merchants that continue to use an unsupported Magento 1 version will have to implement compensating controls to re-certify PCI DSS compliance, such as signing up for and implementing third-party fixes and updates, continuously scanning their installations for malware, vulnerabilities and unauthorized accounts, using a web application firewall, and so on.
“General security vulnerabilities tend to increase the longer software is unsupported as hackers continue to use new technologies and techniques for exploitation. This raises the risk of attacks and security breaches over time and increases the possibility of exposing personally-identifiable customer data,” Adobe explained.
Companies risk their reputation, the trust of their customers, fines and may even lose their credit card processing ability if they fail to protect user information.
Another thing: the end of support for Magento 1 also means that some extensions merchants use will not be available anymore.
“We encourage Magento 1 merchants to download the Magento 1 extensions they plan to keep, since Magento 1 extensions will not be available in the Magento Marketplace after July 7, 2020, and will be removed from the Magento repository after August 6, 2020,” Adobe noted last week.
Magento 2 or something else?
PayPal, Visa and other payment processing companies and payment platforms have also been urging merchants to make the switch to Magento 2.
Even though Magento 2 was released five years ago and even though the migration from Magento 1 to Magento 2 can be performed by using an official Data Migration Tool the number of Magento 2 installations is still lagging (it’s currently around 37,500 installations).
As “painful” and costly as it maybe, this EOL will hopefully push many of them to finally make the switch – or make the switch to an alternative platform.
“2020 has been a tumultuous year for retailers. Merchants should not have to worry about security issues or upgrading their ecommerce platform while they are in the middle of adapting to drastically changed consumer behaviors and expectations. Amidst the list of business-critical priorities a merchant needs to focus on, worrying about what’s happening with a Magento migration or installation should not be included,” noted Jimmy Duvall, Chief Product Officer at BigCommerce.
Being the PCI guy at my company carries a certain amount of burden. Not only am I responsible for all of the ongoing compliance and yearly assessments, but I also have to interpret the PCI DSS scriptures on how PCI affects products, initiatives, and platform decisions.
Anyone closely involved with PCI recognizes that our mission tends to be of a holy order. And it’s often a lonely and monastic order: we read the arcane words and interpret them for the common layperson to understand.
What you don’t know could hurt you
If you’ve been the arbiter of PCI for your company, you’ve probably run into a variety of misunderstandings, long-held misconceptions, and just weird ideas. (Nodding your head?) These aren’t limited to occasional questions from co-workers—they also happen with many vendors. I’m honestly surprised that so many vendors operating in areas that impact PCI compliance have virtually no clue about how their products affect or are affected by PCI.
After all, there’s no excuse to be clueless. One of the great things about PCI is that the rules are available for anyone to peruse. That’s why many discussions about PCI end pretty quickly when you simply ask someone to point to the PCI DSS guidelines to support their argument. I can usually tell I’m working with a seasoned professional if they can quote chapter and verse. I can also tell when someone hasn’t done their homework.
Having worked in the PCI world for several years, I’ve seen a lot of good and a lot of bad. Here are three of the biggest misconceptions and misunderstandings I tend to run into.
Misconception #1: You believe a certain product or system is out of PCI scope
The first misconception primarily impacts vendors. It’s the misconception that just because a piece of equipment doesn’t process or transmit credit card data, it’s not in the scope of PCI. This simply isn’t true.
There are essentially two types of systems in scope. One type is any system that directly touches credit card information. The second is any outlying larger connected systems that touch the first type of system.
Vendors tend to get into trouble when they have a device that directly talks to a POS or similar credit card processing system. The moment that device can talk to the POS that’s in scope, it’s basically a given that it (and whatever it touches) is also in scope as a connected system. It’s not always a black-and-white distinction, but you must have very tight firewall rules to make your case.
Misconception #2: You’ve accurately scoped your CDE
The second misconception involves what PCI compliance fundamentally tries to protect. While the PCI DSS guidelines have good recommendations for general security, they’re specifically trying to protect payment-related information. If you’re implementing the controls well, they do a solid job of increasing overall security. But at the end of the day, the scope is intentionally narrow.
That’s why one of the biggest issues I see companies struggling with is how to adequately define their card data environment (CDE). Getting the scope right for CDE is the most essential thing you can do, and everything else builds on top of that.
This is where understanding the card data flow comes into play. You must be able to articulate how a credit card transaction is created and transmitted from beginning to end. This understanding forms the basis of what is in scope and what is not. Because the precise goal of PCI is to protect card data, you should almost always try to reduce scope.
Misconception #3: Not recognizing the differences between PA-DSS and PCI DSS
The third misconception is about the differences between the PA-DSS (which is used to certify payment solutions) and the PCI DSS (which is used to assess adherence to the data security standard). This might seem contradictory, and it probably should be, but there are many cases where you can have a system that has a PA-DSS certification that will not meet PCI DSS compliance.
Again, this goes back to the problems that vendors face in these situations. More than a few times I’ve seen a company get surprised during an assessment when the QSA asked to see the updates to fix vulnerabilities in Windows systems upon which a vendor has built their POS solution. Usually the customer has no control over those updates—they’re typically bundled with a vendor’s application update. I’ve witnessed some pretty hairy phone calls between a QSA, store operator, and vendor trying to sort out why a POS hasn’t been patched in a few years to fix known Windows vulnerabilities.
You can’t outsource ownership
One critical aspect to remember is that if you’re subject to PCI compliance, you’re ultimately responsible for everything. No matter how much you outsource, you can’t outsource ownership. That includes depending on a PA-DSS. I’ve actually worked with vendors to roll out systems that their own techs have installed—only to discover that the installation doesn’t even meet the vendors’ own PA-DSS standards.
As a bonus tip, if you’re working with vendors to select a new payment solution, read through their PA-DSS before making any decisions. Ask hard questions about how their rollout, installation, and real-world management matches up to their PA-DSS. Test the PA-DSS configuration first. I’ve had PA-DSS guides include language and features that aren’t actually built into the solution. It honestly makes me wonder how they got a PA-DSS certification to begin with, but that’s another topic of discussion for later.
Safety measures for credit card data storage include PCI security standards, removal of credit card information, and individual vendor’s safety measures.
A lot of business establishments nowadays take full advantage of credit card transactions to improve their sales. They also store data of their clients’ credit card details for online transactions in the future. Because of this, it becomes pretty easy for identity robbers to do their criminal actions. Hence, there are particular credit card security laws that must be followed by every single business institution for safer credit card transactions and information storage.
PCI security standards
One particular global forum which is dedicated in safeguarding credit card account data is the PCI Security Standards Council. Main credit card services providers require all merchants who handle credit cards to apply safety standards to protect credit card holders from robbery. Big business facilities with in excess of 6 million transactions a year are required to have system scans every 90 days from a private auditor, such as comprehensive examinations on-site. Meanwhile, corporations which have less than 20,000 transactions annually must submit a written report about their own on-site review of their transactions; nevertheless, they only need to stick to the guidelines given by their banking institution. If a specific merchant is unable to follow the set guidelines and credit card data has been stolen, this merchant can lose the privilege of accepting credit card deals from numerous major credit card companies.
Elimination of credit card information
Credit card data stored in merchants’ data programs must be taken away as often as possible. Nevertheless, the frequency of elimination depends upon the level of the merchant’s credit card information security, and also his business type. Nevertheless, there are particular information, like the CVV2 and the CIV codes, that cannot be stored. These kinds of codes are the three- or four-digit numbers positioned at the front, middle, or back area of the credit card, and these are the cards’ last line of protection against security threats. Furthermore, merchants may not store PIN data or magnetic strip; nevertheless, when details are stolen, the merchant could be fined as much as 500,000 dollars per incident.
Private merchant’s security measures
Aside from the safety measures given by the PCI council and also the merchant’s bank, merchants should also have their private safety measures to safeguard credit card details of their clients. This can be done by having regular security assessments on data systems, and also the staff of the business establishment. Companies must hire sincere, independent computer hackers to determine faults in their security systems, as well as find solutions to these issues. Actual documents with credit card information, such as credit card invoices, are fairly easy for robbers to take when they walk in the premises of the business institution. Hence, merchants should also have crosscut document shredders for shredding documents which are no longer required, instead of stocking them forever. If these papers should be kept for a long time for record reasons, these must be saved in a very safe place with a lock and key, that should be closed at all times. Employees must also be checked regularly regarding their trustworthiness by executing specific tests on them. A great way to do this is to hire a person outside of the business establishment to pose as someone asking to obtain details of clients over the phone. This would allow the corporation to determine if any of the staff will give in to breaking the safety standards of the business.
Credit card safety should be imposed to its maximum level. This is to prevent the destruction of the merchant’s name and the loyalty of its clients.