Verizon study details need for improved PCI security

The Verizon 2015 PCI Compliance Report is Verizon Communications' fourth and most extensive study of global trends in payment card security. Highlights include a review of Payment Card Industry (PCI) Data Security Standards (DSS) baseline requirements and a first-time focus on sustainable security practices.

The 84-page study explores why four out of five companies fall out of compliance after passing their PCI audits. Additionally, two thirds of the companies studied used incomplete or inadequate test scripts for their in-scope security systems.

PCI Council sounds wake-up alarm

The PCI Security Standards Council, established in 2006 by American Express Co., Discover Financial Services, JCB International Credit Card Co. Ltd., MasterCard Worldwide and Visa Inc., is an open global forum focused on developing, managing, educating, and raising awareness of the PCI DSS for increased payment data security.

Stephen W. Orfei, the PCI SSC's General Manager, called the Verizon report "a wake-up call for every business that cares about payment security," adding that despite overall progress, businesses still have a long way to go in prioritizing and implementing payment security.

Orfei acknowledged that there is no "silver bullet" to preventing security breaches and urged companies to take a "multilayered approach to security" by managing access, strengthening security at the POS and remaining vigilant to the evolving threat landscape.

Report highlights

The report noted a global increase in credit card spending, predicting that total world card payments will exceed $20 trillion in 2015. The PCI DSS provided the framework for the report's quantified analysis. Following are three takeaways from the report.

1. Compliance is up

   Overall PCI compliance increased between 2013 and 2014 for 11 of the 12 PCI DSS requirements, with an average increase of 18 percent per business.

2. Sustainability is low

   Less than one third (28.6 percent) of companies retained PCI compliance in the 12 months following successful validation.

3. Data security is still inadequate

   Verizon's viewpoint is that the PCI DSS is "a baseline, an industry-wide minimum acceptable standard, not the pinnacle of payment card security. PCI DSS compliance should not be seen in isolation, but as part of a comprehensive information security and risk-management strategy."

Requirement-by-requirement analysis

The report examined all 12 of the PCI DSS requirements: maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining anti-virus tools, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems and maintaining security policies.

Each requirement was reviewed according to its role in a comprehensive security strategy. The report also examined newer versions of each requirement that reflect emerging technologies and the evolving threat environment.

For example, Requirement 2 prohibits using default passwords or security parameters. This requirement has been affected by Cloud and virtual technologies.

"Requirement 2 is one of the requirements most affected by the emergence of virtualization and cloud," the report stated, referring to technologies that simplify information technology (IT) infrastructures. The introduction of new technology can pose challenges to IT professionals tasked with separating in-scope and out-of-scope systems that coexist on the same physical server.

EMV may drive fraud to card-not-present transactions

Orfei noted that the U.S. transition to EMV (Europay, MasterCard and Visa) chip technology will make 2015 a pivotal year in payments. His tone of cautious optimism is reflected in Verizon's report, which references the coming Oct. 1, 2015, liability shift for POS terminals, and Oct. 1, 2017, for automated fuel dispensers. The report pointed out that EMV is not a panacea, and suggested that experience gained from other countries shows that it displaces, rather than eliminates fraud. EMV cards may initially increase the security of card-present transactions, and "attackers may focus their attention on 'card not present' (CNP) transactions, including online shopping," the report stated. The report also noted that banks and card issuers are developing new methods of encryption, tokenization and behavioral analytics to enhance the security of e-commerce transactions.

Becoming and remaining compliant

In addition, Verizon's 2015 report explored why companies fail to sustain PCI compliance – in many cases for less than a year after achieving successful audits.

Verizon noted the problems stem from failure to build robust procedures, which need to be not only built, but also managed and maintained, and failure to see an assessment as a snapshot that captures only a moment in time and demonstrates that a company and its selected sites, devices and systems assessed during sampling were deemed compliant.

Real payment card data security requires ongoing controls and vigilance beyond the PCI assessment. Orfei described passing an annual compliance assessment as a starting point for a implementing a broader, vigilant and proactive security program. "Only a combination of people, process and technology, and a focus on making security a 'business-as-usual' practice will help thwart these constant threats," he said.

Editorial Note:

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.