Please use the sharing tools found via the email icon at the top of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email [email protected] to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found here.
Nearly half of companies fail to secure their payments systems from hackers, risking their ability to take card payments as they fall out of compliance with the payment card industry’s requirements, according to a new report by Verizon. Some 45 per cent of all companies assessed by the telecoms group did not comply with the Payment Card Industry (PCI) rules, often failing to scan their systems for vulnerabilities frequently enough and, in some cases, not encrypting data. The report comes as companies with a European presence rush to prepare for the introduction of the EU’s General Data Protection Regulation, which will impose fines of up to €20m, or 4 per cent of revenues, for not protecting personal information. Ciske Van Oosten, global intelligence manager for Verizon PCI Security Practice, said retailers and hospitality companies were the worst among industries studied, followed by financial services and IT services. “Retail is very bad at testing and very poor at encrypting data, securing transmitted data and authentication,” he said. The data are based on Verizon’s interim scans, which show that between three to nine months after the annual PCI check, many companies had already made changes that meant they failed to comply. In the US and Latin America, fewer than half of the companies studied were compliant with the payments security rules. In Asia, more than half of companies are passing. Not a single company that does comply with the PCI guidelines is known to have suffered a breach of its cyber defences, said Mr Van Oosten. There was a spate of large-scale breaches of point-of-sale devices at US retailers in 2013 and 2014, starting with Target, followed by the largest ever, at DIY chain Home Depot. Customers have not felt the consequences, as payments companies restrict their liabilities. However, there are significant risks for business. Companies that do not comply with the standards each year risk breaking the terms of their contracts with payments groups, which could result in fines or being cut off from accepting payments. Mr Van Oosten said businesses often failed to appreciate the importance of rescanning their systems after significant changes, be that introducing new equipment, updating apps or even buying another company. “One major hotel chain that was a customer of Verizon used to be PCI compliant, but failed because it bought a newer hotel chain that took two-and-a-half years to get compliant,” he said.