With PCI DSS proving too hard, can Australian companies do better on GDPR?

Poor card-security compliance doesn’t bode well for GDPR and overall governance

Australian companies will need to be better at compliance with the European Union’s new data privacy protections than they are at complying with PCI DSS financial-data security regulations, according to new figures that confirm executives are unhappy with their compliance progress and validate consumers’ concerns that businesses are not protecting their confidential data adequately.

Companies pursuing PCI DSS certification – required for any organisation handling consumers’ credit-card details – are getting better at passing their PCI interim evaluations, with Verizon’s recent 2017 Payment Security Report finding that 55.4 percent of companies were fully compliant at their interim assessments in 2016. This compared with 48.4 percent the year before and as few as 11.1 percent in 2012.

The figures reinforce concerns by senior business executives voiced in a new ISACA survey, which found that fewer than one-third of respondents were satisfied with their organisation’s GDPR progress and 35 percent weren’t even aware of its progress.

“GDPR is more aggressive than previous privacy requirements, with tougher consequences for violation,” Escoute Consulting president Mark Thomas, author of a new ISACA guide on GDPR compliance, said in a statement.

“It also doesn’t define what ‘reasonable’ means in terms of the required level of personal data protection, which gives the GDPR governing body wide latitude when it comes to assessing fines for noncompliance. Companies equipped with a solid governance structure have already won half the battle. For those without, this is an important driver for adopting one.”

Companies’ eventual success with GDPR compliance will be clear over time, but their still-deficient performance around PCI DSS compliance was evident from Verizon’s observed systemic shortcomings in security practices – such as the company that sought an exemption from the Wi-Fi requirements of PCI DSS and failed because it was not even known that an IT administrator had installed a Wi-Fi network for his own use.

Having just one “powerful” control in place, such as strong authentication, can prevent 80 percent of attacks, the report noted. Yet – echoing past warnings that many companies are erroneously shifting their information-security resources to governance requirements – fully 13 percent of organisations lacked expected PCI controls like security testing and penetration testing, which are endemic to compliance with PCI DSS and many other compliance regimes.

“Many organisations still look at PCI DSS controls in isolation and don’t appreciate that they are inter-related,” Verizon global managing director for security Rodolphe Simonetti said in a statement. “The concept of control lifecycle management is far too often absent. This is often the result of a shortage of skilled in-house professionals - however, in our experience, internal proficiency can be dramatically improved with lifecycle guidance from external experts.”

Given such common shortcomings, there can be little surprise that consumers still don’t trust their service providers to adequately protect their personal information. A recent Internet Society survey of 2072 Asia-Pacific consumers found that fewer than 10 percent fully trust Internet service providers, e-commerce sites, online shops, and online content service providers.

More than 70 percent of respondents said they believe their personal data is not sufficiently protected online, while fully 90 percent said they were “very uncomfortable or uncomfortable” with providing bank and credit card details online.

That level of consumer concern, exacerbated by the frequency of systemic shortcomings in data protection, bode poorly for Australian companies’ broader efforts around compliance – which will be a key focus in 2018 with the February introduction of Australia’s Notifiable Breach Disclosure (NDB) regime, the enforcement of the updated PCI DSS 3.2 requirements, and the May introduction of the European Union’s general data protection regulation (GDPR).

Even the Office of the Australian Information Commissioner (OAIC) has been proactive about compliance, highlighting the importance of compliance in its new Corporate Plan 2017-18. This comes amidst plans for an Australian Public Service (APS) Privacy Governance Code designed to position the public sector as “the national leader in personal information protection”.

The GDPR, as the OAIC notes, includes many requirements similar to those in Australia’s Privacy Act 1988 as well as “additional measures that aim to foster transparent information handling practices and business accountability around data handling.” The organisation has published guidance to help Australian businesses evaluate and accommodate their individual responsibilities under the code.

Where implemented and followed, PCI DSS and other governance standards can deliver significant improvements on security: just 9 percent of confirmed payment card breached organisations, the Verizon report found, could show they had been validated as being compliant with PCI DSS. No breached organisation was fully compliant at the time of the breach.

But getting to that stage will require a combination of enforcement and guidance – and some industry organisations are working to provide both. “Many companies won’t be ready when they should be,” OVH vice president for development and public affairs Alban Schmutz, who serves as president of European cloud service provider organisation CISPE, recently told CSO Australia.

CISPE’s Code of Conduct for data protection is being expanded to dovetail with industry-specific regulations like PCI DSS to “establish what is the industry level that can be done by everyone,” Schmutz said.

“Adhering to this code of conduct is a powerful tool to show GDPR assessors that you have done the work. It’s all about preparing things, being able to show authorities, being able to be as reactive as possible, and mustering your value chain to be sure there is no cascade of issues behind that.”

Tags PCI DSSdata privacyGDPR

Show Comments