COVID-19 and the payment card data security standard

Drew Kilbourne of the Synopsys Software Integrity Group discusses the Payment Card Industry Data Security Standard and COVID-19

|Jun 14|magazine10 min read

The Payment Card Industry Data Security Standard (PCI DSS) was a commendable initiative introduced in 2003 by the industry to push for better security standards and safer payments globally.

However, despite passing the initial test for certification, according to Verizon’s 2019 Payment Security Report, organisations are increasingly failing to maintain full compliance with all twelve requirements that constitute the standard. Indeed, results from “interim security testing” show global compliance plummeting by nearly a third, from 55% to 37% between 2016 and 2018.

What is more, organisations that have theoretically achieved compliance continue to suffer from cyberattacks.

Consider the financial service industry (FSI). In order for any institution to process payments in banking, insurance or mortgage lending, they are obliged to ‘pass’ the PCI DSS. Nonetheless, in an independent study conducted by the Ponemon Institute, it was revealed that FSI organisations are ineffective at safeguarding their data subjects (customers and employees alike) from a breach.

As a consequence of insecure software or technology, 56% of these organisations experienced system failure or downtime, and 51% were subject to the theft of sensitive customer data.

This is troubling information to digest. For one, we have entrusted sensitive data to organisations who are ill-prepared to protect it from cybercriminals. Moreover, as Verizon’s report indicates, they do not appear motivated to fix this issue, allowing cybersecurity to fall by the wayside.

Adding insult to injury, since the outbreak of COVID-19, it seems that cybercriminals have ramped up their efforts.

In fact, researchers at RiskIQ have noticed a 20% increase in Magecart card skimming attacks on online retailers during this pandemic. For example, in February of this year, malicious code was inserted on Nutribullet’s website.

In March, it was discovered that the UK hardware retailer, Robert Dyas, had a card skimmer surreptitiously sitting on its payment processing page for more than three weeks. In both cases, the skimmer allowed cybercriminals to poach credit and debit card numbers as well as CVV codes off customers.

Consequently, more than ever, organisations need to be vigilant and aggressive with their security strategies.

Unfortunately, while realising compliance to the PCI DSS is a fundamental step to building a strong security posture, many mistake certification of such compliance as the equivalent of security. As Troy Leach, senior vice president of the Payment Card Industry Security Standards Council (PCI SSC), has emphasised, it is only through security that compliance is achieved.

In our hyper-connected world, the threat landscape is constantly evolving and growing in sophistication, demanding a proactive response. Yet, even the financial services industry which has cultivated greater cyber hygiene compared to other industries, are struggling to keep up.

For the majority of FSI organisations, the problem lies in the fact that security vulnerability assessments are only administered post-release.

In the Ponemon ‘State of Software Security in FSI’ report, almost a third of respondents (32%) admitted that assessments occur in the post release phase, and an additional 20% in the post production release phase.

Furthermore, only 34% of FSI software are tested for vulnerabilities. It comes as no surprise then to find that a mere 25% of respondents were confident that their organisations are able to detect security vulnerabilities in their software and systems before release.

Across all organisations, a common issue fostering such underdeveloped, or sluggish security strategies, is the infrequency of assessments.

Assessors checking for PCI compliance, whether qualified security assessors (QSAs) or internal security assessors (ISAs), often oversee formal interim testing once a year.

This does not guarantee that the organisation upholds compliance throughout the year. In addition, this sporadic testing hardly delves into the entire security infrastructure on which software is built; simply monitoring security superficially.

Organisations cannot afford to be complacent and assume that passing compliance tests once a year is the proof they need to claim cybersecurity readiness.

Rather, security strategies and compliance should be built into the core of any organisation’s operations. It should be proactive, continuous and holistic. This means, for instance, ensuring that security measures are put in place early on in the software development life cycle.

Additionally, any shortcomings that are identified in PCI assessments should be swiftly remediated. As Gabriel Leperlier, Head of Continental Europe Advisory Services GRC/PCI, eloquently said, “It’s not a project, it’s a programme – something you need to maintain.” 

Find out more here
Read more here