The compliance landscape

Much has evolved in payment security since the PCI DSS was introduced nearly 20 years ago. The speed and scope of these changes created a tipping point within the security community, prompting the PCI Security Standards Council (SSC) to address the critical need for substantial improvements to the baseline Standard. 

Central to that tipping point is the significant change in how we work: Many people work from home today, and securing home-based work computers is a growing challenge. More organizations are adopting cloud computing and the use of cloud native applications, and digital transformation is driving increased automation and interconnectedness. Meanwhile, cybersecurity threats are morphing and growing at a rapid pace, often stretching the limits of security programs. The threats organizations face are more cunning and evasive than they were even two years ago. Threat actors are breaking passwords once considered nearly uncrackable and even circumventing multifactor authentication (MFA). Ransomware is rampant; sophisticated phishing attacks are commonplace. The COVID-19 pandemic further complicated this complex mix, overwhelming CISOs and security experts already juggling mounting security alerts and scarce resources.

How are you and your organization preparing to meet these new requirements and improve the overall maturity of your control environment?

The pressure of these changes raises an obvious question: How are you and your organization preparing to meet these new requirements and improve the overall maturity of your control environment?

It’s no secret that many organizations need to significantly update their data security, compliance strategy and overall security program. For organizations that lack resources, working harder on a strategy is not a viable option. The answer is, instead, to work smarter on the right tasks and activities. For starters, you need to clarify what you are aiming for to achieve the right goals in an evolving, increasingly interconnected security matrix.

For many years, Verizon has been exploring different methodologies and tools to help you accomplish the right security goals. Integrating the Logical Thinking Process into your security planning is the next essential step. This step-by-step systems approach to complex problem solving is based on the Theory of Constraints (TOC). Its application is easy to grasp, as it provides simple diagramming processes to identify the root cause of any undesirable effect in a control environment. As a valuable planning tool, it can even move a rusty needle to clarify goals and solve problems.

Understanding the TOC and application of the LTP are valuable additions to your toolbox, because they unlock the steps for designing and implementing a sustainable and effective security and compliance control environment. A strategic approach is essential. However, crafting an excellent strategy while pursuing goals that are unclear, lack alignment or are the wrong goals altogether is like bailing water from a boat that has a hole in the bottom. Not only is the process counterproductive and wasteful, it can also be very demoralizing.

We’ve done both the bailing and repair for you with a “navigational chart” that pinpoints the best course to take to define goals and objectives for your security and compliance strategy and program—and the necessary conditions to attain them. Having a chart with the best-proven strategies will help your organization avoid unintended consequences, which can be cataclysmic to a security program.

“The questions you ask determine the answers you get.”

—Anonymous

Unintended consequences: The Ever Given metaphor

The container ship Ever Given’s misfortunate accident in the Suez Canal is a timely metaphor for the importance of considering unintended or unexpected consequences. Such consequences can occur when design, strategy and planning lack foresight and coordination.

The Suez Canal was created to accommodate shipping traffic between Port Said on the Mediterranean Sea and Suez on the Red Sea. In 2015, engineers widened the canal in certain sections for two-lane traffic and for the increasing size and weight of container ships. In the past 15 years, the size and weight of container ships has doubled—increasing container capacity from about 10,000 20-foot equivalent units (TEUs) to as many as 25,000 TEUs. In March 2021, one of the largest ships in the world, the Ever Given, became lodged sideways in the canal for six days and four hours, stalling tens of billions of dollars in trading per day.

Several converging factors caused the accident:

1. Human error and poor communication and coordination¹²
2. Limited regulation and/or coordination between the shipping industry and Suez Canal officials during the time container ships grew significantly in size¹³
3. A narrow section of the canal where the Ever Given—one of the longest ships in service—became wedged was not widened during the 2015 Egyptian canal redevelopment project
4. Hydrodynamics: Large container ships in shallow, narrow canals have a smaller gap between the hull, canal walls and canal floor, increasing the bank and squatting effects, making ships less maneuverable¹⁴
5. A dust storm and high winds apparently impacted visibility and maneuverability 

What could planners have foreseen and implemented to avoid that disaster? Were unintended consequences at play? What regulations could have helped? Was there advanced warning, or was it a black swan event, unpredictable beyond what is normally expected of a situation with potential severity “characterized by their extreme rarity, severe impact and the widespread insistence they were obvious in hindsight?”¹⁵

“The best laid plans of mice and men often go awry.”¹⁶

—Robert Burns

In 2015, The Organization for Economic Co-operation and Development (OECD) raised the following concerns about the shipping industry:¹⁷

• Container lines typically are not consulting regulatory, government or shipping agencies before building larger container ships
• Appropriate discussion forums are needed “between liners and transport stakeholders … including governments, regulators, port authorities and all interested constituents … to facilitate an exchange of views, an understanding of objectives and plans, and ultimately better coordination”
• Attention is needed on “insurability of mega-ships and the costs of potential salvage in case of accidents” 
• Data is showing the potential cost savings to carriers as “fairly marginal,” while infrastructure upsizing costs “could be phenomenal”
• Many ports and countries “accidentally or on purpose, encouraged the development of mega-ships”
• Countries and ports “frequently make decisions that seem positive on an individual level, but could be detrimental at a collective level,” and an extensive cost/benefit analysis is needed

Failure to deal with constraints

When completed in 1869, the Suez Canal was 102 miles long, 26 feet deep and 200 feet wide at the narrowest point, with maximum capacity for a loaded ship weighing 5,000 tons. The canal was later expanded to 120 miles long, 79 feet deep and 656 feet wide at its narrowest point, with maximum capacity for a ship weighing 240,000 tons. The 1,312-ft Ever Given is significantly longer than the canal is wide and became stuck where the canal is about 985 feet wide.

The Ever Given fiasco shows how important it is to pinpoint constraints in a design. This is particularly relevant today at a time of rapid evolution and complexity with digital transformation. All possible constraints (based on a risk assessment) need to be considered when building security frameworks. After the fiasco, the Egyptian government acknowledged the lack of foresight and, in May 2021, announced plans to widen and deepen the canal in the stretch where the Ever Given lodged.

The Top 7 Strategic Data Security Management Traps

In the 2020 Payment Security Report, we included the Top 7 Strategic Data Security Management Traps to help CISOs streamline planning processes. Knowing these traps is valuable when considering how unintended consequences can be overlooked in planning stages. With the Ever Given accident, they include:

When implementing design changes, CISOs and security experts should consider the “precautionary principle,” which emphasizes that burden of proof should be defined as being able to show lack of harm, rather than to prove harm. The approach is often used by policy makers when conclusive evidence is not yet available and redesigning and decision-making can result in harm. “The precautionary principle forces us to ask a lot of difficult questions about the nature of risk, uncertainty, probability, the role of government and ethics. It can also prompt us to question our intuitions surrounding the right decisions to make in certain situations.”¹⁸ When designing for change, such considerations can help organizations avert costly data breaches.

Digital risk management and predictive technology

Making even minor changes to complex systems can result in unforeseen outcomes. Anticipating and planning for all possible repercussions in the design process is essential, but complex interdependencies can make predicting outcomes difficult. This is why payment security requires a comprehensive, well-researched design approach. This is especially true when combining the new customized approach of PCI DSS v4.0 with the multiple drivers of digital transformation.

Digital risk management (DRM) is central to security and enterprise risk for evolving organizations that are increasingly dependent on digital processes. DRM strives to build digital resiliency so that an organization’s security systems can detect and respond to digital threats, thereby reducing financial disruptions and losses.¹⁹ Many of these risks will emerge in new forms as innovative digital processes, services and products are introduced to already well-established frameworks.

2020 proved to be a year when threat actors launched particularly surreptitious attacks in response to companies scrambling to adapt to and survive the COVID-19 pandemic. Shortly after COVID-19 became widespread, 69% of boards of directors accelerated their digital business initiatives, according to the “2021 Board of Directors Survey” by Gartner Group, conducted May through June 2020 in the United States, Europe-Middle East-Africa (EMEA), and Asia-Pacific (APAC) regions. The study also found that 67% expected budget increases in technology and a nearly 7% increase in 2020 IT budgets.²⁰

Predictive technologies are expected to become increasingly helpful with risk management and adverse unintended consequences. However, organizations need to take the necessary steps to prepare for integration of algorithms, analytics and artificial intelligence (AI) as viable means of risk management.²¹ (See “Appendix D: AI and ML in the payment card industry” on page 159 for more details.)

The psychology of risk compensation

In addition to focusing on digital risk, CISOs and security experts need to be mindful of risk compensation: the tendency to allow risky behaviors to increase when implementing security controls because of the false sense of security the controls create. Insurance companies are factoring this tendency into their security assessments. Risk compensation is a common syndrome in traffic psychology, where the presence of new safety measures creates a tendency for people to exhibit riskier behaviors. For example, introducing safety features such as seat belts, helmets and anti-lock braking systems in vehicles resulted in an increase in driving speed.²² According to a 1994 study, motorists drove faster and with less caution when wearing seat belts. In similar risk compensation theory studies, when a vehicle was equipped with anti-lock braking systems, drivers drove closer to the vehicles preceding them.²³

¹⁰ 2020 Payment Security Report, Verizon, 2020, https://www.verizon.com/business/resources/reports/payment-security-report/.

¹¹ Robert K. Merton, “The Unanticipated Consequences of Purposive Social Action,” American Sociological Review, 1936, https://www.jstor.org/stable/2084615.

¹² Vivian Yee and James Gianz, “How One of the World’s Biggest Ships Jammed the Suez Canal,” The New York Times, Jul 17, 2021, https://www.nytimes.com/2021/07/17/world/middleeast/suez-canal-stuck-ship-ever-given.html.

¹³ The Impact of Mega-Ships, The Organisation for Economic Co-operation and Development (OECD), International Transport Forum, 2015, https://www.itf-oecd.org/sites/default/files/docs/15cspa_mega-ships.pdf.

¹⁴ Marc Vantorre, et. al., “Maneuvering in Shallow and Confined Water,” Encyclopedia of Maritime and Offshore Engineering, Apr 20, 2017. https://doi.org/10.1002/9781118476406.emoe006.

¹⁵ “What is a Black Swan?” Investopedia, Mar 22, 2021, https://www.investopedia.com/terms/b/blackswan.asp#.

¹⁶ “The best laid plans of mice and men often go awry,” SAP Community Blogs, 2010, https://blogs.sap.com/2010/01/07/the-best-laid-plans-of-mice-and-men-often-go-awry/.

¹⁷ The Impact of Mega-Ships, The Organisation for Economic Co-operation and Development (OECD), International Transport Forum, 2015, https://www.itf-oecd.org/sites/default/files/docs/15cspa_mega-ships.pdf.

¹⁸ “The Precautionary Principle: Better Safe than Sorry?” Farnam Street, June 2021, https://fs.blog/2021/06/precautionary-principle.

¹⁹ “What Is Digital Risk Management?” Digital Risk Management Institute, https://www.drminstitute.org/what-is-digital-risk-management/.

²⁰ “Gartner Says 69% of Directors Accelerated Their Digital Business Initia tives Following COVID-19 Disruption,” Gartner, Sep 2020, https://www.gartner.com/en/newsroom/press-releases/2020-09-30-gartner-says-sixty-nine-percent-of-boards-of-directors-accelerated-their-digitalbusiness-initiatives-folloing-covid-19-disruptions.

²¹ Nitin Nohria and Heman t Taneja, “Managing the Unin tended Consequences of Your Innovations,” Harvard Business Review, Jan 19, 2021, https://hbr.org/2021/01/managing-the-unintended-consequences-of-your-innovations.

²² Peter Berlich, “Risk compensation,” Network World, IDG Communications, Inc., Mar 9, 2008, https://www.networkworld.com/article/2237441/risk-compensation.html.

²³ “Anti-lock braking system,” Wikipedia. https://en.wikipedia.org/wiki/Anti-lock_braking_system.