According to Verizon’s 2019 Payment Security Report, 18 percent of organizations surveyed had no defined data protection and security program. That’s despite the fact that PCI DSS compliance is, for all practical purposes, a fairly binding expectation. Though it is not law, PCI compliance is mandated by major card brands and the banks that handle payment processing. For merchants, these are essential business partners because they literally enable payment for goods and services.
According to Verizon, retail has done well with encrypting data in transit (PCI DSS Requirement 4) and protecting against
malicious software (Requirement 5). Retailers also scored well in authenticating access
(Requirement 8) to prevent data theft.
Unfortunately, retailers fall short of meeting the full PCI DSS requirements, especially for security management.
Retail scored the lowest of all industries studied in data breach incident preparedness, such as:
- Identifying users and ensuring that they had the right level of privileges
- Following due diligence when engaging service providers
- Detecting unauthorized wireless access points
- Maintaining an incident response (IR) plan
Payment security is a global challenge with global consequences. Being compliant is not only good for business but also saves time and money.