What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard set by the five major payment brands and industry stakeholders to protect user data from exposure. PCI DSS is a “self-regulating” industry standard. Any organization that handles credit card data must take steps to protect it when used, stored or transmitted. Organizations that suffer a breach and have not taken steps to ensure compliance can be penalized, and in some cases may even be prohibited from working with specific payment brands.
What is the current state of the global payment security market?
The global payment security market size is expected to reach $43.76 billion by 2025, according to a new report by Grand View Research, Inc. Rising need for PCI DSS compliance and adoption of digital payment mode by consumers are likely to stoke the growth of the market.
Back in 2015, Worldpay noted over 133,000 fraudulent transactions reported, which interpreted stolen card details being used every 20 seconds. Thus, payment security providers help its customer’s systems to protect itself from threats and aim to provide secure businesses by getting them to comply with PCI DSS. Therefore, the payment security market is estimated to be driven by the adoption of PCI DSS compliance.
What are some of the most notable data breaches?
Currently, a massive breach is unfolding for a South Korean payment infrastructure, the source is currently undetermined. Last May, a security firm observed that 42,000 compromised credit card records originating from South Korea were posted for sale on the dark web. However, numbers for June reached 230,000 records, a 448% spike while July was even more drastic with 890,000 new records, a 2,019% increase from May’s benchmark amount.
Overall, there are now over 1 million compromised U.S. and South Korea-issued credit cards posted for sale in the dark web since May 29, 2019.
Equifax, a consumer credit reporting agency, also suffered a breach, in September of 2017, which resulted in the personal information of 147 million being exposed. More recently, Equifax has reached a $650 million consumer settlement related to that 2017 breach, which is a sad reminder that no one is safe against breaches and we still lack sufficient cybersecurity.
The above are just reminders that the retail industry and credit card data are still a primary target by hackers, organized crime and state sponsored attacks. We cannot continue to avoid the topic, as attacks continue in frequency and breadth.
So, what’s next? What can we do?
PCI DSS 4.0, which was set to be announced in the September 2019 user community meeting, will now not be released prior to late 2020. It is great however to learn that PCI DSS is moving away from point in time compliance monitoring. As we have learned, that most companies experiencing credit card breaches were not PCI DSS compliant at the time of the incident. All organizations must transition to continuous oversight over control environments to ensure continuous compliance.
PCI DSS 4.0 goals:
- Ensure the standard continues to meet the cybersecurity needs of the payment industry,
- Add flexibility and support additional methodologies to achieve security,
- Promote validation methods and procedures,
- And, last but not least, promote cybersecurity as a continuous process.
Organizations must adopt continuous assurance practices. Continuous auditing, monitoring and compliance are critical for cybersecurity and privacy program maturity. Regulators and industry bodies will continue the push for continuous oversight. History proved to us all that point in time does not cut it. We must remain diligent in our efforts to fight crime, protect what’s important and, most of all, maintain compliance posture.