+61-2-9434-5000
Contact Us

Executive Summary

Please provide the information below to view the online Verizon Payment Security Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

  • For more than a decade, Verizon has documented compliance trends in the evolving payment security industry. The Payment Security Report (PSR) has tracked compliance ups and downs, while keeping a finger on the pulse of the changing payment security landscape. During this time, consumers and businesses substantially increased business activities conducted online. The COVID-19 pandemic escalated that trend and, as a result, the number of payment card transactions also increased. Meanwhile, the capabilities of threat actors continue to evolve and escalate, enabling the skillful exploitation of both existing and emerging threats and weaknesses within payment systems and processes.

    Additionally, digital transformations that rely heavily on cloud technologies are introducing new drivers that impact the payment security industry, further complicating the role of CISOs and other security managers and practitioners.

    In response to these recent challenges, the PCI Security Standards Council (SSC) instituted a major rewrite of the PCI DSS v4.0. The latest update will help organizations ensure that data security controls remain relevant and effective in a shifting landscape. It’s the most significant update to the PCI DSS since its initial release in 2004. If you feel overwhelmed by the amount of information you need to digest to understand the impact of PCI DSS v4.0 and want to simplify the complexity with the best-curated wisdom available, the 2022 PSR is essential reading.

    • The security management toolbox

      A valuable set of models, methods and frameworks to simplify security compliance management:


      The GRC2
      The Security Management Canvas (TSMC)

      • Security business model (SBM)
      • Security strategy
      • Security operating model (SOM)
      • Security frameworks
      • The 9 Factors of Control Effectiveness and Sustainability
      • The 7 Constraints of Organizational Proficiency
      • The 4 Lines of Assurance

      The Theory of Constraints and the Logical Thinking Process

  • An updated standard with higher expectations 

    Organizations worldwide should be gearing up to implement the changes required by PCI DSS v4.0. Planning and focusing attention of scarce resources on a set of design priorities for PCI DSS v4.0 is of utmost importance. If you don’t design a bespoke program for your organization, you’ll be violating one of the fundamental principles of security and compliance management that Verizon has promoted for over a decade: Success is achieved by design, not by luck.

    It has been nearly 20 years since the introduction of the PCI security compliance regulation. That’s plenty of time for every experienced CISO and management team to develop a security compliance management toolbox.

    Your tools should create structure and order and drive clear results. Not having a toolbox and merely taking a trial-and-error approach is a dangerous way to operate (design, implement and improve) a complex security and compliance program. CISOs attempting to manage programs without proper toolboxes are jocularly described as engaged in “six phases of a project”:

    1) enthusiasm,  2) disillusionment, 3) panic,  4) search for the guilty,  5) punishment of the innocent and 6) praise and honor for the nonparticipants.3 With the correct approach—one that enables proper planning and execution— there’s no reason for PCI DSS v4.0 projects to decline into panic. The design, implementation and management of PCI security strategy and program management is not an intractable problem.


    Toward an efficient algorithm for achieving sustainable control effectiveness

    A problem is tractable when a known, efficient algorithm solves it; it’s intractable when an efficient algorithm for resolution is not known. Organizations fail to improve control environments and achieve the goal of sustainable control effectiveness for many reasons. We reviewed those reasons in the 2020 PSR’s Top 7 Strategic Data Security Management Traps, (page 12).4 The process of solving an intractable problem hinges on two primary elements: determining the critical root cause and determining the most effective next action. In this edition of the PSR, we review the tools needed to address those elements, while also avoiding the introduction of damaging unintended consequences.

  • "Most geniuses— especially those who lead others—prosper not by deconstructing intricate complexities but by exploiting unrecognized simplicities."5

    —Andy Benoit

  • What’s in your management toolbox?

    PCI security compliance is a business management discipline, not an information technology discipline. Organizations within the payment security industry need the knowledge and application of an appropriate set of management tools to deliver results within dynamic and complex environments: tools that support analysis, decision-making, coordination, alignment and control. The methods and techniques used to design and manage PCI security compliance goals, strategies and programs require careful consideration. There’s no shortage of methods to choose from: management by objectives (MBO), total quality management (TQM), the observe-orient-decide-act (OODA) loop, business process management (BPM), Lean, Six Sigma, Drum Buffer Rope (DBR), balanced scorecard (BSC), management accounting, critical chain project management (CCPM), force field analysis (FFA), cost-benefit analysis (CBA), change management (CM), etc. Still, no silver bullet exists. And the more chaotic the environment, the less effective many management approaches become over time. With the additional changes afoot, how do you choose the best, most effective long-term methods?

    • This issue of the PSR focuses on goals. More specifically, it focuses on the importance of aiming for a clearly articulated security and compliance goal: how to formulate your goal and objectives, identify necessary requirements to meet them and remove constraints. Every decision, task and activity within your PCI security program should be aligned with a defined goal and its objectives.

  • "It is a simple thing to make things complex, but a complex task to make them simple.”

    —Meyer’s Law

  • The best path for your organization’s journey

    In his landmark book The 7 Habits of Highly Effective People,7 Stephen Covey recommends starting “with the end in mind.” If you don’t know where you’re going, then any path will do. Or, in the immortal words of Yogi Berra: “You’ve got to be very careful if you don’t know where you’re going, because you might not get there.”8 To find the best path, you need to define and refine your goals. Therefore, this issue of the PSR focuses on goals. More specifically, it focuses on the importance of aiming for a clearly articulated security and compliance goal: how to formulate your goal and objectives, identify necessary requirements to meet them and remove constraints. Every decision, task and activity within your PCI security program should be aligned with a defined goal and its objectives. This report hones in on a method for achieving the focus needed for your security team to do this while staying highly productive—not simply busy. This is why we’re spotlighting the Logical Thinking Process (LTP) as an exceptionally valuable management tool that belongs in every CISO’s and security professional’s management toolbox.

  • "What’s the use of running if you are not on the right road?"

    —German proverb

  • In the early 1990s, Eliyahu M. Goldratt conceived a multistage process for complex problem solving called the Logical Thinking Process (LTP). This structured process takes an undefined or ill-defined system problem and helps practitioners advance it to an effective, fully implemented solution. For over 20 years, the LTP has been one of the most effective, rigorous and comprehensive problem-solving methods. It defines clear, prioritized and achievable goals and offers visibility and structure; clarity and quality of communication; improved decision-making; a solid foundation for continuous improvements.

    The challenges organizations encounter with data security and compliance management have identifiable cause-and-effect relationships. Solutions can be applied at a process level, system level or both. While organizations experience different degrees of complexity with the systemic problem of protecting data 24/7, v4.0’s customized approach—if implemented correctly—should move the needle forward in the direction of effective, sustainable control.

    • One of the major breakthroughs in understanding the complex world of organizations is the field of systems theory, which greatly influenced how we understand and change organizations. Systems thinking helps organizations examine and simplify complexity, recognize patterns and expand the range of choices for problem solving.

      A systems thinking application is ideal for data security and PCI security compliance challenges because: They are important issues; the problems are chronic rather than one-time events; the problems are familiar with a known history; organizations have unsuccessfully tried to solve the problems before. A systems thinking theory addresses the dynamics of a system where there is an underlying order. Small changes can cause complex alterations in the overall system. By applying a method that focuses on the entire system—its goals, requirements and constraints—organizations can identify solutions that address multiple problems.

  • Gall’s Law: “A complex system that works is invariably found to have evolved from a simple system that worked. The inverse proposition also appears to be true: a complex system designed from scratch never works and cannot be made to work. You have to start over, beginning with a simple system."9

    —John Gall, systems theorist