Monday, March 23, 2015
The 84-page study explores why four out of five companies fall out of compliance after passing their PCI audits. Additionally, two thirds of the companies studied used incomplete or inadequate test scripts for their in-scope security systems.
The PCI Security Standards Council, established in 2006 by American Express Co., Discover Financial Services, JCB International Credit Card Co. Ltd., MasterCard Worldwide and Visa Inc., is an open global forum focused on developing, managing, educating, and raising awareness of the PCI DSS for increased payment data security.
Stephen W. Orfei, the PCI SSC's General Manager, called the Verizon report "a wake-up call for every business that cares about payment security," adding that despite overall progress, businesses still have a long way to go in prioritizing and implementing payment security.
Orfei acknowledged that there is no "silver bullet" to preventing security breaches and urged companies to take a "multilayered approach to security" by managing access, strengthening security at the POS and remaining vigilant to the evolving threat landscape.
The report noted a global increase in credit card spending, predicting that total world card payments will exceed $20 trillion in 2015. The PCI DSS provided the framework for the report's quantified analysis. Following are three takeaways from the report.
Overall PCI compliance increased between 2013 and 2014 for 11 of the 12 PCI DSS requirements, with an average increase of 18 percent per business.
Less than one third (28.6 percent) of companies retained PCI compliance in the 12 months following successful validation.
Verizon's viewpoint is that the PCI DSS is "a baseline, an industry-wide minimum acceptable standard, not the pinnacle of payment card security. PCI DSS compliance should not be seen in isolation, but as part of a comprehensive information security and risk-management strategy."
The report examined all 12 of the PCI DSS requirements: maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining anti-virus tools, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems and maintaining security policies.
Each requirement was reviewed according to its role in a comprehensive security strategy. The report also examined newer versions of each requirement that reflect emerging technologies and the evolving threat environment.
For example, Requirement 2 prohibits using default passwords or security parameters. This requirement has been affected by Cloud and virtual technologies.
"Requirement 2 is one of the requirements most affected by the emergence of virtualization and cloud," the report stated, referring to technologies that simplify information technology (IT) infrastructures. The introduction of new technology can pose challenges to IT professionals tasked with separating in-scope and out-of-scope systems that coexist on the same physical server.
Orfei noted that the U.S. transition to EMV (Europay, MasterCard and Visa) chip technology will make 2015 a pivotal year in payments. His tone of cautious optimism is reflected in Verizon's report, which references the coming Oct. 1, 2015, liability shift for POS terminals, and Oct. 1, 2017, for automated fuel dispensers. The report pointed out that EMV is not a panacea, and suggested that experience gained from other countries shows that it displaces, rather than eliminates fraud. EMV cards may initially increase the security of card-present transactions, and "attackers may focus their attention on 'card not present' (CNP) transactions, including online shopping," the report stated. The report also noted that banks and card issuers are developing new methods of encryption, tokenization and behavioral analytics to enhance the security of e-commerce transactions.
In addition, Verizon's 2015 report explored why companies fail to sustain PCI compliance – in many cases for less than a year after achieving successful audits.
Verizon noted the problems stem from failure to build robust procedures, which need to be not only built, but also managed and maintained, and failure to see an assessment as a snapshot that captures only a moment in time and demonstrates that a company and its selected sites, devices and systems assessed during sampling were deemed compliant.
Real payment card data security requires ongoing controls and vigilance beyond the PCI assessment. Orfei described passing an annual compliance assessment as a starting point for a implementing a broader, vigilant and proactive security program. "Only a combination of people, process and technology, and a focus on making security a 'business-as-usual' practice will help thwart these constant threats," he said.
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
