Verizon: Breaches Under-Reported GloballyNew Report Finds Maintaining PCI Compliance a Challenge
Although breaches of U.S. retailers are widely reported, a new study shows that increases in the theft of payment card data and other personal information span numerous industries in all international markets.
Verizon's PCI Compliance Report, now in its fourth year, also shows that while compliance with the Payment Card Industry Data Security Standard has been more of a focus in the last 16 to 24 months for U.S. merchants, maintaining compliance poses increasing challenges for all global industries, says Franklin Tallah, executive consultant of compliance and governance services at Verizon Enterprise Solutions.
"Enforcement of the PCI standard is definitely stronger here in the U.S.," Tallah says. "The merchants here definitely pay attention and comply more. It's really just a matter of enforcement."
Weaker breach notification requirements in other nations has left the inaccurate impression that the U.S. is suffering from more breaches than anywhere else, Tallah says.
That's because many other nations are still in the process of enacting breach notification laws that resemble requirements already in place in 47 of the 50 U.S. states.
Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, agrees with the report's conclusion about the under-reporting of breaches in other nations. She notes that while U.S. breach disclosure laws may seem archaic, because they are decentralized, they are far ahead of anything currently on the books in other countries (see Obama's Breach Notification Plan Lacks Specifics).
"The U.S. also has more prolific and active security journalists covering this space, which has also encouraged more breach disclosure," Litan adds.
Tallah says Verizon's data about PCI compliance and breaches from other international markets is based primarily on information provided by its clients. For this most recent report, data from clients in 95 countries is included, though the majority of data is from U.S. organizations.
"Many of the stories that reach the papers and TV news are from the U.S., but data breaches happen everywhere," Verizon notes in its report. "When a breach happens in the U.S., we are much more likely to hear about it."
Based on Verizon's client data, organizations in other nations are just as likely to suffer breaches that expose card data as those in the U.S., the report notes.
Card Fraud Increasing
Global financial losses related to card fraud doubled from $7 billion in 2009 to $14 billion in 2013, according to research firm BI Intelligence, Verizon notes.
"[A] troubling trend from this year's report is that data security is still inadequate," says Rodolphe Simonetti, managing director of professional services for Verizon Enterprise Solutions. "A PCI-DSS assessment can uncover important security gaps that should be fixed, but it is not a guarantee that the data is safe from a cyberattack."
Breached companies were typically not complying with 10 out of 12 PCI-DSS requirements at the times of their breaches in late 2013 and 2014, Verizon notes in its latest report. "This certainly suggests a strong correlation between not being PCI-DSS compliant and being more susceptible to a data breach involving payment card information," the report states.
In 2014, about 20 percent of businesses surveyed for the Verizon report were PCI compliant, up from 11.1 percent in 2013, Tallah adds.
And for many, maintaining compliance is a struggle. "We found that companies are getting better at vigilance," Tallah says. "But for companies that were compliant one year, 12 months later, they were found not to be compliant."
Troy Leach, chief technology officer at the PCI Security Standards Council, says companies' inability to maintain PCI compliance is discouraging. "It's going to be an ongoing challenge," he says. "What we need to focus on is how we can do better at maintaining compliance and minimizing what we are trying to protect."
Emerging Security Solutions
Removing card data from transactions through technologies such as tokenization and encryption is showing promise in helping organizations shore up card security, Tallah and Leach say.
But implementation can prove challenging, Leach says. "There are only thousands of security professionals around the world who understand the intricacies of cryptography," he says. "We just have a resource shortage in today's market. So we need to look at ways that we can rely on third parties to encrypt that data before it ever enters a merchant's system. Having a third party manage that cryptography process for you definitely can work."
One area that is showing promise for better authentication of cardholders and the verification of payments transactions is advanced behavioral analytics, Verizon points out.
Mobile carriers, including Verizon, are working with banking institutions to use their data to make behavioral analytics even more effective, Verizon notes. "One example of this is using location data from a consumer's cellphone as an additional factor when scoring the risk of a transaction - if it's a cardholder-present transaction and their phone is 500 miles away, the chances of it being fraudulent are much higher," Verizon says in its report.
But Gartner's Litan says this type of analytics has not been widely adopted because banks don't want to forge separate agreements with each of the carriers used by their customer base. "Another, even more significant, impediment is that banks are concerned their customers will perceive their use of mobile location services as privacy-invasive," she says.