COVID-19 and the payment card data security standard
The Payment Card Industry Data Security Standard (PCI DSS) was a commendable initiative introduced in 2003 by the industry to push for better security standards and safer payments globally.
However, despite passing the initial test for certification, according to Verizon’s 2019 Payment Security Report, organisations are increasingly failing to maintain full compliance with all twelve requirements that constitute the standard. Indeed, results from “interim security testing” show global compliance plummeting by nearly a third, from 55% to 37% between 2016 and 2018.
What is more, organisations that have theoretically achieved compliance continue to suffer from cyberattacks.
Consider the financial service industry (FSI). In order for any institution to process payments in banking, insurance or mortgage lending, they are obliged to ‘pass’ the PCI DSS. Nonetheless, in an independent study conducted by the Ponemon Institute, it was revealed that FSI organisations are ineffective at safeguarding their data subjects (customers and employees alike) from a breach.
As a consequence of insecure software or technology, 56% of these organisations experienced system failure or downtime, and 51% were subject to the theft of sensitive customer data.
This is troubling information to digest. For one, we have entrusted sensitive data to organisations who are ill-prepared to protect it from cybercriminals. Moreover, as Verizon’s report indicates, they do not appear motivated to fix this issue, allowing cybersecurity to fall by the wayside.
Adding insult to injury, since the outbreak of COVID-19, it seems that cybercriminals have ramped up their efforts.
In fact, researchers at RiskIQ have noticed a 20% increase in Magecart card skimming attacks on online retailers during this pandemic. For example, in February of this year, malicious code was inserted on Nutribullet’s website.
In March, it was discovered that the UK hardware retailer, Robert Dyas, had a card skimmer surreptitiously sitting on its payment processing page for more than three weeks. In both cases, the skimmer allowed cybercriminals to poach credit and debit card numbers as well as CVV codes off customers.
Consequently, more than ever, organisations need to be vigilant and aggressive with their security strategies.
Unfortunately, while realising compliance to the PCI DSS is a fundamental step to building a strong security posture, many mistake certification of such compliance as the equivalent of security. As Troy Leach, senior vice president of the Payment Card Industry Security Standards Council (PCI SSC), has emphasised, it is only through security that compliance is achieved.
In our hyper-connected world, the threat landscape is constantly evolving and growing in sophistication, demanding a proactive response. Yet, even the financial services industry which has cultivated greater cyber hygiene compared to other industries, are struggling to keep up.
For the majority of FSI organisations, the problem lies in the fact that security vulnerability assessments are only administered post-release.
In the Ponemon ‘State of Software Security in FSI’ report, almost a third of respondents (32%) admitted that assessments occur in the post release phase, and an additional 20% in the post production release phase.
Furthermore, only 34% of FSI software are tested for vulnerabilities. It comes as no surprise then to find that a mere 25% of respondents were confident that their organisations are able to detect security vulnerabilities in their software and systems before release.
Across all organisations, a common issue fostering such underdeveloped, or sluggish security strategies, is the infrequency of assessments.
Assessors checking for PCI compliance, whether qualified security assessors (QSAs) or internal security assessors (ISAs), often oversee formal interim testing once a year.
This does not guarantee that the organisation upholds compliance throughout the year. In addition, this sporadic testing hardly delves into the entire security infrastructure on which software is built; simply monitoring security superficially.
Organisations cannot afford to be complacent and assume that passing compliance tests once a year is the proof they need to claim cybersecurity readiness.
Rather, security strategies and compliance should be built into the core of any organisation’s operations. It should be proactive, continuous and holistic. This means, for instance, ensuring that security measures are put in place early on in the software development life cycle.
Additionally, any shortcomings that are identified in PCI assessments should be swiftly remediated. As Gabriel Leperlier, Head of Continental Europe Advisory Services GRC/PCI, eloquently said, “It’s not a project, it’s a programme – something you need to maintain.”
The Ultimate FinTech & InsurTech LIVE Event
From October 12th-14th, 2021, BizClik’s FinTech & InsurTech live event will bring together influential executives from around the world. Live from London, this three-day event will be an excellent way to finish the year strong, gaining the confidence your company needs to move forward into the future.
With keynote addresses from global leaders, dynamic roundtable discussions, and extensive networking opportunities, FinTech & InsurTech live will expand your network, deliver insight, and enhance your organisation’s reach. Events include a forum on financial services, discussions centred on racial equality and women in fintech, and APAC, EMEA, and US-focused sessions that capture insights from around the world.
The event will include:
- Keynote addresses from respected industry leaders
- Dynamic live roundtables (inc. Q&A)
- Fireside discussions
- Inspirational Speakers & Presentations
- Extensive networking opportunities
Scope Out the Agenda
This week, we’ll share our weekend schedule of events, filled with essential industry topics and keynotes replete with knowledge and insight. Here’s a rundown of the three-day schedule:
Kicking off at 10 AM with a welcome message from our CEO Glen White, the first day of FinTech and InsurTech Live won’t pull any punches. We discuss racial equality, inventive financial services, and cloud migration—and that’s just the morning lineup.
Later on, we’ll cover supplier diversity, AI digital transformation, and fintech sustainability, in addition to cloud and digital transformation in global insurance. Don’t worry—we have a networking lunch in-between events! Finally, we’ll close out the day with online banking, women in fintech, and a recap of Day 1.
First we’ll hear from Scott Birch, our expert BizClik Media Editorial Director and facilitator, live from the Fintech Leaders Stage. We then jump into the future of digital payments, unicorns, and digital insurance brokers. Interested in learning more about digital underwriting and digital payment solutions? You’ve come to the right place.
In the afternoon, we’ll touch on CX in insurance, host a forum on financial services, and discuss what the world might look like as a cashless society, plus the future of challenger and neo banks. Wrapping up, we’ll talk tech and AI in insurance, PayTech, and hear from a surprise inspirational speaker. But we’re not done yet.
As is only fitting, BizClik’s CEO, Glen White, will introduce our APAC sessions, highlighting the critical role that Asia will play in the future of fintech and insurance. Following his remarks, we’ll open up the floor for a chat about digital banking, discuss technology in APAC, and hear from Dipu KV in an iconic keynote address.
After a series of thought leaders and networking sessions, we’ll head into an EMEA-focused session, which includes an EMEA technology panel, a CDO keynote, and a Europe enterprise presentation. In fact, this day’s events span the globe. Next up is a USA regional keynote, followed by a US CIO presentation and talks about enterprise.
A final end-of-event farewell will close out the weekend, wrapping up a successful FinTech and InsurTech global event. Can’t miss it. We look forward to seeing you there!