Insights from Verizon’s 2020 Payment Security Report

The 2020 Verizon Payment Security Report was released in October and was largely devoted to identifying the challenges CISOs face in designing, implementing, and executing their organizations’ data security compliance programs and securing payment processes.

This annual report focuses on the state of compliance with PCI DSS version 3.2.1, and unfortunately, this year’s findings continued a trend we have seen since 2016; fewer and fewer organizations are keeping up with the minimum baseline of security controls and payment security is getting weaker. In 2019, only 27.9% of organizations achieved full compliance during their interim compliance validation. Organizations based in the United States were even less likely to comply with the PCI DSS, with just 20% of the organizations assessed achieving full compliance.


Some of the top challenges discussed in this year’s overview included how organizations operate in such fast-moving environments, but face numerous constraints with budgets time, tools, and lack of skilled workforce. At the same time, new internal and external threats are constantly emerging and hackers are identifying new ways to infiltrate networks via phishing scams, malware, and ransomware.

The report detailed 10 common data security mistakes:

  • Lacking an effective security strategy

  • Not understanding the scope of organizational risks

  • Viewing data protection as a technology problem

  • Failing to get real buy-in from board members and senior business management

  • Not knowing how to prioritize/what to address first

  • Being unaware of data and IT assets

  • Security functioning as an island

  • Not testing security

  • Inadequate education of the workforce

  • Denying that they are a target

The report also revealed, following the tests of real attacks on production environments, that even though the bulk of organizations assume they are protected, more often than not, they are exposed. Some of the more shocking statistics:

  • 91% of attacks did not generate an alert

  • 53% of attacks successfully infiltrated environments without detection

  • 68% of ransomware attacks went unnoticed

When Verizon looked specifically at the PCI DSS requirements, Requirement 7 (Restrict access) and Requirement 5 (Protect against malicious software) had the strongest performance in terms of full compliance. Compliance performance related to Requirement 11 (Test security systems and processes), Requirement 12 (Security policies and management), and Requirement 6 (Develop and maintain security systems) were the worst.

Requirement 11 posed the most difficulty for organizations struggling to achieve full compliance, with their failure to meet requirements for scanning and penetration testing. American organizations had only a 35% compliance rate with Requirement 11 when assessed. The main operational issues associated with these failures included delaying until the month before a scan is due, which then led to the discovery of issues requiring complex remediation that could not be resolved within 30 days.  Organizations also face challenges with changes in staff, an overall lack of oversight, and proper management of end-of-life technologies that are no longer supported.

The drop in Requirement 12 compliance is largely attributed to the requirements for risk assessments, security awareness training, and service provider management.

And Requirement 6 infractions should also not be ignored as many assessed entities’ lacked the ability to reconcile installed security patches.

The report details the 20 biggest control gaps in PCI DSS compliance. We would recommend reviewing these gaps to verify your organization has not similarly overlooked any of these requirements. You may want to consider asking your QSA to focus additional attention on any applicable areas during your annual compliance cycle.


Too many organizations find themselves constantly in reaction mode, putting out daily fires (or in the case of 2020, a rather large, never-ending COVID fire), vs. dedicating resources to proactively planning and investing in security technologies and strategies for protecting sensitive information.

Organizations need to prioritize data security and the protection of sensitive information. As we know, it is too costly to protect all systems and assets from all threats and vulnerabilities, so environments must be properly scoped and segmented, data types classified, and risks prioritized.  Aligning security strategies with organizational strategies for compliance with the PCI DSS, as well as other security and privacy standards (GLBA, FERPA, HIPAA, GDPR, etc.), can also help more effectively allocate resources and avoid a duplication of efforts.

A Business as Usual PCI Compliance Program

As mentioned above, COVID-19 has pulled many security teams’ focus to the task of either safely resuming in-person operations or successfully transitioning to remote environments.  Because teams are unable to prioritize compliance, this is all the more reason for integrating daily, monthly, quarterly, etc. tasks required for PCI compliance into your business as usual process.

Check out our Business As Usual templates and guidance documents below for some expert advice and key strategies from a few of our valued CampusGuard customers:

A Well Run PCI Program: How Do They Do It?

PCI DSS: Round the Clock Compliance

Additional comments and feedback from our Offensive Security Services team below:

[Wheeler]: It is not surprising to see many of these control gaps on the list of Top 20.  How can an organization effectively install critical patches (PCI Ref. 6.1) on systems when they are unable to maintain a list of in scope components (PCI Ref. 2.4) or installed software (PCI Ref. 2.4a)?  If ASV (external) vulnerability scans (PCI Ref. 11.2.2) and internal vulnerability scans (PCI Ref. 11.2.1) are not being performed, how does the systems or security team know they have vulnerabilities to patch (PCI Ref. 6.1)?  Each of these build on each other and have co-dependencies.

I think it is important for organizations that are struggling, to identify the cause of why they are unable to be in compliance with each requirement of the framework they are working with.  Only then can you begin to plan how to solve the issue(s) at hand.  If there is a systemic problem with not having enough resources to patch systems regularly, maybe the solution is to implement something like Microsoft System Center Configuration Manager (SCCM).  Sure, it’s more time up front, probably some additional hardware/software cost, but should save plenty of time for administrators to deploy patches in the future.  Think of it as working smarter, not harder.

Another item that stands out to me is PCI Ref. 11.3.3, “Examine penetration testing results to verify that noted exploitable vulnerabilities were corrected and that repeated testing confirmed remediation”.  This control had a larger gap than the external or internal penetration testing itself.  This points to the fact that after an organization has a penetration test performed, they are not mitigating the findings (or are not able to).  A possible cause may be that an organization receives a report that they don’t understand or are unsure where to start mitigating.  Our Offensive Security Services team works very closely with our customers to ensure that the results of a penetration test are understood clearly, and often provides alternative mitigating techniques to those customers that might have a more complex situation or environment.  Having this close partnership is a crucial component to get to the place where a re-test can be performed, and the customer can become compliant with PCI DSS 11.3.3 (as well as other related requirements).