The PCI DSS mandates a rigorous set of requirements for any organization that accepts, stores, processes, or transmits credit card information. The idea is that if organizations follow these, they will be more resilient to breaches of cardholder data. However, according to the 2020 Verizon's Payment Security Report (PSR), which has documented compliance trends in the payment security industry for more than a decade, the 2020 PSR found that only 27.9% of global organizations maintained full compliance with the PCI DSS, and there is a clear downward trend in PCI DSS compliance since its 2016 peak.
This highlights the continued challenges surrounding PCI compliance in banking. And at the same time, compliance has never been more important, in light of a fast-moving threat landscape. Over the course of the pandemic, financial institutions invested heavily in digital transformation. These investments increased the size of the corporate cyber-attack surface. This has created new risks, including:
- Unpatched assets, such as home working endpoints
- Misconfigured assets, such as cloud databases
- Unsecured remote working infrastructure like legacy VPNs and remote desktop protocol (RDP) endpoints
- Employees working from home who may be more willing to bypass security policy and engage in risky behavior
- An expanded network of physical and digital supply chain providers featuring suboptimal security
Threat actors are quick to take advantage of such changes. One vendor detected a 1,318% year-on-year increase in ransomware attacks on the banking sector in the first half of 2021. According to the Data Breach Investigations Report (DBIR), Verizon’s annual publication that provides a deep analysis on global cybersecurity breaches, most threat actors targeting the industry last year were external, financially motivated, and focused on stealing personal and bank data as well as credentials. Alongside user error, basic web application attacks and social engineering represented the vast majority (81%) of breaches in the sector. The 15th anniversary edition of the DBIR is available May 24th, 2022, sign up to be notified here.