Compliance with industry-standard payment-card security standards is declining amongst service providers and merchants. According to Verizon’s latest Payment Security Report, barely more than one-third of companies were fully compliant with PCI DSS standards in 2019. And to make matters worse, compliance has been dropping for the past three years, with a rapid decline from 2017.
Data protection compliance programs (DPCP) often represent a significant investment in time and money. But many can still be ineffective and fail to advance beyond a “check the box” mentality toward compliance audits. These programs may often “look good on paper” but fail when implemented and lack the review process to be appropriately sustainable.
The Verizon report found that many CISOs focus on only keeping baseline control activities in place, instead of growing competency and measurable results. This attitude results in “security by script,” as if doing A, B, and C in the correct order will deliver sustainable data protection. But in the real world, the risk is fluid, solutions aren’t simple, and complex paths with non-linear progression are needed to sustainable DPCP.
Verizon introduced what it has called the 9-5-4 Compliance Program Performance Evaluation Framework. The framework combines Verizon’s 9 Factors of Control Effectiveness and Sustainability with the 5 Constraints of Organizational Proficiency and 4 Lines of Assurance. The nine factors of control are;
- Control Environment
- Control Design
- Control Risk
- Control Robustness
- Control Resilience
- Control Lifecycle Management
- Performance Management
- Maturity Measurement
- Self-Assessment
To evaluate companies, Verizon ranked their DPCP on five constraints of organizational proficiency (5 Cs);
- Capacity: is the company’s DPCP adequately funded and staffed
- Capability: are the company’s leadership, culture, structure, and incentives aligned with a sustainable DPCP
- Competence: does the company poses the essential knowledge and skills to design, implement, and maintain a DPCP
- Commitment: are the top leadership and board of directors creating a culture of compliance
- Communication: is there clarity on the program’s focus, objectives, tasks, and responsibilities
Based on their findings, only 36.7% of organizations maintain sustainable control environments. When considering organizational proficiency, most companies scored well or acceptable on Capability. The groundwork is in place in most companies to adopt sustainable compliance. However, competence is where most companies fell short. A lot of companies lack the core skills necessary for compliance.
Organizations don’t willfully and deliberately fail to design effective and sustainable control environments. The study discovers a lot of good intentions. We’ve all heard of where that road paved with good intentions ends up. As an industry, we need to do better with education and skill development. Consumers are at risk now more than ever.
If you accept credit card data for processing payments, one way to mitigate PCI risk in a customer service organization is to adopt a payments IVR, like our Compass Payments Suite. We’d be happy to discuss how this, with a proper DPCP can help you become more compliant.