Payment data security decline comes down to people – Verizon

• Just over a quarter of businesses are fully compliant with payment card data security standards
• Organisations are struggling to hire and retain qualified personnel
• Businesses need to have complicated conversations about security
• Or customer data will continue to be at risk as online shopping increases

The number of businesses in full compliance with data security standards for credit card usage declined again last year, according to a new study by Verizon Business, and that fall in no small part comes down to the people responsible for keeping customer data safe and the efficacy of communication within any given organisation.

Fewer than 28% of global organisations – 27.9%, to be precise – were 100% in compliance with the the Payment Card Industry Data Security Standard (PCI DSS) last year, according to Verizon Business's 2020 Payment Security Report. The figure was down 8.8 percentage points on the previous year and significantly lower than the 2016 high of 55.4%.

To put it simply, many businesses are putting their customers' credit card data at risk, one way or another, and it's happening more and more, at a time when it is more important than ever for consumers to feel safe shopping online, given the restrictions on traditional retail stemming from the Covid-19 pandemic.

The weakest link here is not technology and systems, but people.

"Unfortunately we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable," said Sampath Sowmyanarayan, President, Global Enterprise, Verizon Business. "Payment security has to be seen as an ongoing business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers."

As Verizon Business points out, many companies are struggling to retain qualified Chief Information Security Officers (CISOs) or security managers in general, which impacts on their ability to remain PCI DSS-compliant in the long term. As many as 80% of Fortune 100 CISOs have held their current positions for less than five years, Verizon noted, citing a study by Digital Guardian. It also highlighted the most recent (ISC)2 Cybersecurity Workforce Study that put unfilled information security positions at more than 4 million worldwide, up by more than 1 million over 12 months.

Communication within the company is also vital. Tempting as it might be for security officers to avoid complex conversations about data protection and compliance simply because they are complex, it is their role to filter out jargon and learn to communicate with others in the company.

"It's the CISO's responsibility to initiate those conversations in the boardroom, where cybersecurity avoidance and underinvestment is common," Verizon's Payment Security Report reads. There is a belief within companies that security is simply about fortifying firewalls and the like and is the remit of the security personnel. But security is more complicated than that.

"Effective communication breaks that mindset and helps board members, CIOs and CEOs understand their critical responsibilities and manage their company's unique, evolving security challenges," Verizon advises.

The message to businesses is pretty clear: hiring the right security personnel and having the right conversations will have a big impact on sustainable payment card data security.

- Mary Lennighan, for TelecomTV