Page 12 - GS140301
P. 12
Chapter
ChapterTitleTitle
News
Verizon bases that opinion on the over 4,000 security
assessments it conducted for 500 clients. Verizon has a
qualified security assessment team of 550 professionals,
it said.
Responses to criticisms
Verizon cited Nilson Report research from August 2013
that said card fraud cost the global payments market over
$11 billion in 2012. Verizon added that the frequency of
fraud schemes that the PCI DSS was designed to avoid
is in fact growing. And yet most businesses are not fully
compliant at the time of assessment.
Verizon said that only 51.1 percent of the companies it
had audited had passed seven of the 12 requirements
of the PCI DSS; and only 11.1 percent of said companies
had passed all 12.
Verizon addressed some of the criticisms leveled at the
PCI DSS. One concern is that the standard promotes
compliance as a test to be passed and forgotten, which
distracts companies from focusing on improving
security. Verizon responded by stating that breached
businesses were less likely to be PCI DSS compliant
than unaffected companies. It also said businesses
improve their chances of not being breached by having
the standard in place, and of minimizing the damage of
a breach should one occur.
Another common complaint leveled at the standard is
that it is too cumbersome and slow moving in relation
to the quickly evolving threat landscape and nimble
fraudsters ready to try new tactics. Verizon countered
that the PCI DSS is meant to be a set of baseline security
protocols. "[A]chieving compliance with any standard
is simply not enough − organizations must take
responsibility for protecting both their reputation and
their customers," the company said.
Verizon added that most attacks on networks are of the
simple variety, with 78 percent of hacking techniques
considered low or very low in sophistication. "Our DBIR
[data breach investigations report] research shows that
while perpetrators are upping the ante − trying new
techniques and leveraging far greater resources − less
than 1 percent of the breaches use tactics rated as 'high'
on the VERIS [Verizon's data breach analysis database]
difficulty scale for initial compromise," Verizon said.
Recommendations
The newest version of the standard, PCI DSS 3.0, went
into effect Jan. 1, 2014. Businesses have until Jan. 1, 2015,
to implement it. Verizon admitted that the updated
standard has new requirements and clarifications
to version 2.0 that will take time for businesses to
understand and implement, and this will result in more
organizations being out of compliance.
12
12
ChapterTitleTitle
News
Verizon bases that opinion on the over 4,000 security
assessments it conducted for 500 clients. Verizon has a
qualified security assessment team of 550 professionals,
it said.
Responses to criticisms
Verizon cited Nilson Report research from August 2013
that said card fraud cost the global payments market over
$11 billion in 2012. Verizon added that the frequency of
fraud schemes that the PCI DSS was designed to avoid
is in fact growing. And yet most businesses are not fully
compliant at the time of assessment.
Verizon said that only 51.1 percent of the companies it
had audited had passed seven of the 12 requirements
of the PCI DSS; and only 11.1 percent of said companies
had passed all 12.
Verizon addressed some of the criticisms leveled at the
PCI DSS. One concern is that the standard promotes
compliance as a test to be passed and forgotten, which
distracts companies from focusing on improving
security. Verizon responded by stating that breached
businesses were less likely to be PCI DSS compliant
than unaffected companies. It also said businesses
improve their chances of not being breached by having
the standard in place, and of minimizing the damage of
a breach should one occur.
Another common complaint leveled at the standard is
that it is too cumbersome and slow moving in relation
to the quickly evolving threat landscape and nimble
fraudsters ready to try new tactics. Verizon countered
that the PCI DSS is meant to be a set of baseline security
protocols. "[A]chieving compliance with any standard
is simply not enough − organizations must take
responsibility for protecting both their reputation and
their customers," the company said.
Verizon added that most attacks on networks are of the
simple variety, with 78 percent of hacking techniques
considered low or very low in sophistication. "Our DBIR
[data breach investigations report] research shows that
while perpetrators are upping the ante − trying new
techniques and leveraging far greater resources − less
than 1 percent of the breaches use tactics rated as 'high'
on the VERIS [Verizon's data breach analysis database]
difficulty scale for initial compromise," Verizon said.
Recommendations
The newest version of the standard, PCI DSS 3.0, went
into effect Jan. 1, 2014. Businesses have until Jan. 1, 2015,
to implement it. Verizon admitted that the updated
standard has new requirements and clarifications
to version 2.0 that will take time for businesses to
understand and implement, and this will result in more
organizations being out of compliance.
12
12
