Verizon Business Report Finds Payment Cards Lack Security From Cybercriminals

*Originally published on

Customer payment data is being targeted by criminals as a way to gain both money and personal information, so it is important that installers know how to spot cybersecurity weak spots.

Integrators who deal at all with security, beware: organizations and their customers’ cardholder data is at risk due to a lack of long-term payment security strategy and execution, says the latest Verizon Business Payment Security Report (2020 PSR).

Organizations of all sizes continue to put their customers’ cardholder data at risk due to a lack of long-term payment security strategy and execution, warns the latest Verizon Business Payment Security Report (2020 PSR).

With many larger companies struggling to retain qualified CISOs or security managers, the lack of ongoing security thinking is severely impacting sustained compliance within the Payment Card Industry Data Security Standard (PCI DSS), according to Verizon.

Small Businesses Are Not Immune To Data Theft

A lack of PCI DSS compliance is also impacting small and medium-sized businesses (SMBs). SMBs were flagged as having their own unique struggles with securing payment data.

While smaller businesses generally have less card data to process and store than larger businesses, they have fewer resources and smaller budgets for security, impacting the resources available to maintain compliance with PCI DSS.

Often the measures needed to protect sensitive payment card data are perceived as too time-consuming and costly by these smaller organizations, but as the likelihood of a data breach for SMBs remains high it is imperative that PCI DSS compliance is maintained.

Payment data remains one of the most sought after and lucrative targets by cybercriminals with 9 out of 10 data breaches being financially motivated, as highlighted by the recent Verizon Business 2020 Data Breach Investigations Report (2020 DBIR).

Within the retail sector alone, 99% of security incidents analyzed by the 2020 DBIR were focused on acquiring payment data for criminal use.

The 2020 PSR found that on average only 27.9% of global organizations maintained full compliance with the PCI DSS, which was developed to help businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data.

More concerning, this is the third successive year that a decline in compliance has occurred with a 27.5 percentage point drop since compliance peaked in 2016 (as seen in the 2017 PSR).

“Unfortunately, we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable,” states Sampath Sowmyanarayan, president, global enterprise, Verizon Business.

Additional findings within the 2020 PSR shine a spotlight on security testing where only a little more than half of the organizations (51.9%) successfully test security systems and processes as well as unmonitored system access and where approximately two-thirds of all businesses track and monitor access to business critical systems adequately.

In addition, only 7 out of 10 financial institutions (70.6%) maintain essential perimeter security controls.

“This report is a welcome wake-up call to organizations that strong leadership is required to address failures to adequately manage payment security.

The Verizon Business report aligns well with Omdia’s view that the alignment of security strategy with organizational strategy is essential for organizations to maintain compliance, in this case with PCI DSS 3.2.1 to provide appropriate levels of payment security.

It makes clear that long-term data security and compliance combines the responsibilities of a number of roles, including the Chief Information Security Officer, the Chief Risk Officer, and Chief Compliance Officer, which Omdia concurs with,” comments Maxine Holt, senior research director at Omdia.