How poor PCI DSS compliance and data breaches go hand-in-hand

What role should financial services firms play in encouraging best security practices among merchants?

Banking security is everyone’s responsibility. From the banks’ perspective, they must have robust systems in place to proactively tackle fraud before transactions can take place, as well as ensuring customer data is protected from potential breaches.

On the consumer side, individuals also have a responsibility to minimize their risk of falling victim to fraud by keeping their personal and financial details safe and not engaging in poor practices such as reusing passwords. Banks have a role to play here as well, such as educating users about safe conduct and explaining how their customer contact processes work to ensure consumers do not fall victim to scams such as phishing attempts.

But what about the role of the merchant in defending against fraud and data breaches? Any company collecting payment data in order to process a transaction obviously needs to take steps to ensure the safety of this data – but it seems many are not fully meeting their responsibilities in this area.

Lack of compliance a common problem

A recent study by Verizon highlighted a clear link between merchants that are not fully compliant with industry standards and those that fall victim to data breaches. In particular, it noted a correlation between poor Payment Card Industry Data Security Standard (PCI DSS) compliance and an inability to adequately defend a business against cyber-attacks.

The company’s 2017 Payment Security Report found that of all the payment card data breaches it examined, no organization was fully compliant with PCI DSS at the time it was compromised. Overall, companies demonstrated lower compliance in 10 of the 12 key PCI DSS requirements.

While overall compliance levels are improving, nearly half of businesses that accept card payments – including retailers, restaurants and hotels – are still failing to maintain compliance from year to year.

Rodolphe Simonetti, global managing director for security consulting at Verizon, said: “There is a clear link between PCI DSS compliance and an organization’s ability to defend itself against cyberattacks. Whilst it is good to see PCI compliance increasing, the fact remains that over 40 percent of the global organizations we assessed – large and small – are still not meeting PCI DSS compliance standards.”

How can financial services help?

One of the first things that financial services organizations may be able to do in order to improve this situation is lead by example. In this regard, it seems the sector is performing better than average. While overall, just 55.4 percent of businesses are fully PCI DSS compliant, this rises to 59.1 percent among financial services firms. While this indicates that even among these firms, there is still some way to go

It will be an acquiring bank’s responsibility to ensure merchants are compliant, and if a merchant is hit by a data breach as the result of a PCI DSS compliance failure, the card provider will issue the acquiring bank with any financial penalty. While this will in turn be passed on to the merchant, it is clearly in everyone’s best interests not to reach this stage. For banks, dealing with non-compliance is an additional headache, while merchants can find themselves facing large fines, increased fees or even having their relationship terminated.  

For the financial services sector, providing clear advice and guidance on ensuring compliance should be essential if the problem of data breaches is to be tackled. This is not something that any one organization can achieve on its own, so ensuring security in an ever-changing environment must be an industry-wide effort.

Written by Owen Wild

Owen Wild

Owen is responsible for marketing strategies for the NCR Security Solutions within NCR’s Financial Solution Portfolio. Over the past 15 years, Owen has held several sales and marketing positions with leading travel and tech companies.

Read more articles from Owen Wild