21st PCI London
21 January 2021, Online
Can PCI DSS 4.0 solve the compliance conundrum?
Securing online business and the online payments ecosystem has never been more important - so why are standards slipping?
It’s a cliché of our pandemic era that businesses must digitalise or die. It’s less often explained what this means in practice. But attacks like Garmin, the recent hack of Germany's state-owned vehicle fleet, which provides chauffeurs for parliamentarians and is run by the Bundeswehr military, and February’s DDoS attack (the largest in history) on AWS, illustrate that ‘going digital’ is seriously concrete.
It’s taking orders or bookings for your product or service online or via mobile; it’s accepting payments and providing refunds over the same channels; it’s collecting data that sits in digital shops; it’s developing digital services around even physical products and charging for them online via recurring subscriptions. Even the humble pizza merchant now takes all their orders via app, so a DDoS attack shuts down a physical food company and a breach of payment data pushes customers made disloyal by hunger to more reliable offerings.
Into this environment, accelerated dramatically by COVID, comes the latest Verizon Payment Security report. It concluded that "fewer and fewer organizations are demonstrating the ability to keep a minimum baseline of security controls in place". In 2018, it noted that the percentage of organisations demonstrating full PCI DSS compliance had dropped dramatically to the lowest level since 2013 - and in 2019, that percentage fell yet again by 8.8 percentage points.
These merchants are not alone in their complacency: in the US only a third of major fuel merchants have fully implemented basic EMV and a fifth are still in the planning stage – and the deadline has had to be extended to April 2021.
All the while, the Magecart group is coming up with new skimming techniques to steal payment card data from the e-commerce sites of small and midsized businesses; other fraudsters have figured out how to use the Telegram app as a fast and easy way to steal payment card data from ecommerce sites; and larger companies are putting data at risk with flawed public Cloud migrations, as demonstrated by the $80 million fine recently imposed on Capital One by the US OCC for last year’s card data breach.
Into this melée comes PCI DSS 4.0 at some point in 2021. What exactly will it look like? Are people waiting for what they hope will be a major revamp that takes the practical realities of the digital revolution into account? Is that why compliance with the current standard is dropping so fast? Or has the need to digitalise created a mass of new firms who should be compliant but who have just not had time yet? Survive first, comply later?
For seasoned PCIers, PCI London 2021 will examine the reasons for current non-compliance, suggest cost-effective solutions and lift the lid on PCI DSS 4.0; for newly digitalised businesses it will provide critical insights and information on combatting fraud, and ensuring payment security and card data privacy.