Nearly half of retailers, restaurants, hotels and other businesses across the world take card payments without full compliance to the Payment Card Industry Data Security Standard (PCI DSS). When organisations do pass full validation, nearly half fall out of compliance within a year.
The Verizon 2017 Payment Security Report (PSR) published this week assessed businesses who had suffered a data breach in 2016.
The study found these businesses fulfilled less than 10 out of the 12 key requirements for PCI compliance. These included protection and storage of cardholder data, firewall use, malicious software protection and development of secure business broadband and business phone systems.
Verizon’s global managing director Rodolphe Simonetti says the report showed a clear link between PCI compliance and an organisation’s ability to coordinate cyber defence against cyber attacks.
The report shows the IT services industry achieved the highest full compliance of all key industry groups. Globally, 61.3% of IT services organisations achieved this in 2016, followed by financial services organisations (including insurance companies) at 59.1% and hospitality at 42.9%.
Card payment data is a primary target for hackers.
The constant race to keep up the defence against hackers with increasingly sophisticated cyber attacks can be overwhelming for businesses, especially those migrating traditional retail models to online transactions, or for businesses that span countries.
The game trading store CEX suffered a data breach last week.
Customer data such as first names, surnames, addresses, emails and phone numbers were accessed by an unauthorised third party. Up to two million registered customers online were potentially affected.
A small amount of encrypted data from expired credit and debit cards may have been compromised. Any payment card information that may have been taken, has long since expired as CEX stopped storing card data in 2009.
The data breach occured on the 30th August. August has the all-time highest number of data breaches.
Cybersecurity specialists are currently reviewing processes and implementing advanced measures to protect their business data in future.
Organisations who do not prepare for regulations such as MIFID II in January 2018 and GDPR in May 2018 do not just risk fines, they leave themselves vulnerable to long-term consequences for their business. Reputation, trust and loyalty are irreplaceable for businesses when lost. As the likelihood of cyber attacks increases, we predict customers will choose to use card payments online with businesses that prove regulatory compliance.
The CEX data breach will become an example of the importance of GDPR compliance as more information comes to light on safeguards in place. Under GDPR, companies that are not compliant at the time of a data breach will face fines of up to £17million or 4% of annual revenues - whichever amount is highest.
For over 30 years, Telefonix has consulted businesses in different industries on how to meet regulations with the right technology and cybersecurity solutions.
Ultimately, the best way for businesses to secure their customer data and defend against cyber attacks will be to use a combination of cyber security, contact centre, call recording and other specialist products with built-in regulatory compliance.
An annual checklist for PCI DSS compliance is available at The UK Card Association.