The new standard, slated for enforcement in 2024, will likely pose several additional challenges amid escalating financial cybercrime and digital fraud
As organizations prepare to implement Payment Card Industry Data Security Standard (PCI DSS) v4.0 by 2024, a study based on global data gathered by qualified security assessors (QSAs) from five corporate entities, with additional comparisons between geographic regions (Americas, EMEA and APAC), has revealed some new cybersecurity, compliance and fraud trends.
Despite compliance improving significantly in 2020, the cybersecurity threats organizations face are more cunning and evasive than they were even two years ago, according to the first-ever global analysis of PCI DSS assessments in the digital payments industry, released by Verizon.
The analysis report has noted that overall, PCI DSS compliance had improved significantly in 2020, with 43.4% of organizations analyzed maintaining full compliance, compared to 27.9% in 2019. Additionally, 56.7% of organizations in the analysis had failed their interim validation assessment due to one or more security controls omissions; yet the security control gap had still improved from 7.7% in 2019 to 4.0% in 2020. According to the PCI Security Standards Council’s Executive Director, Lance Johnson: “Substantial industry feedback drove changes to PCI DSS v4.0, (with key changes focusing) on meeting the evolving security needs of the payments industry; continuously promoting security processes; increasing flexibility for organizations using different methods to achieve security objectives; and enhancing validation procedures.”
What the data means for PCI DSS v4.0
While navigating their way through the changes in standards, CISOs and their teams will need to apply a logical, coordinated process to evaluate requirements and constraints, and to simplify some complex new measures and ensure data security. In this regard, the industry analysis report offers two insights:
- The key to achieving ongoing growth and stability of security and compliance program performance is to find a way to focus resources on only the parts within the security environment that are currently limiting or blocking further improvement—the weakest links, system constraints or leverage points. As such, strategic planning, coordination and execution at an operational level is paramount for averting costly data breaches.
- 5G, open architecture and Multi-access Edge Computing (MEC) will continue to enhance the mobile experience for the payments industry. However, security practitioners need to explore how these innovations will impact the PCI DSS compliance posture.
According to Sampath Sowmyanarayan, CEO, Verizon Business: “Despite compliance improvements, we know that bad actors are still out there and stronger than ever. Our own (research) has found the financial sector continues to be victimized by motivated organized crime, with servers being involved in 90% of financial breaches. As a result, working harder on your current strategy is unlikely to move the needle. To remain safe in today’s heightened cybersecurity climate, organizations will need to approach their objectives and goals at a project, program and strategic level.”