Case Studies

PCI DSS link

by Mark Rowe

There’s a link between compliance with the Payment Card Industry Data Security Standard (PCI DSS), and their ability to defend against cyberattacks. That’s according to the Verizon 2017 Payment Security Report (2017 PSR), by the telecoms firm. Briefly, PCI DSS is a standard for businesses that take card payments to assess physical and cyber protection of their payment systems against theft of cardholder data, including protecting data in transit, vulnerability management and overall risk management; and such controls as penetration tests.

Of all payment card data breaches that Verizon investigated, no organisation was fully compliant at the time of breach, and showed lower compliance with ten out of the 12 PCI DSS key requirements. Overall PCI compliance has increased among global businesses, with 55.4 percent of organisations that the company assessed passing their interim assessment in 2016. This is an increase from 2015, when less than half, 48.4 percent of organizations achieved full compliance during their interim validation. This means that nearly half of retailers, restaurants, hotels and other business that take card payments are still failing to maintain compliance from year to year.

Comments

Rodolphe Simonetti, global managing director for security consulting, Verizon, said: “There is a clear link between PCI DSS compliance and an organization’s ability to defend itself against cyberattacks. Whilst it is good to see PCI compliance increasing, the fact remains that over 40 percent of the global organizations we assessed – large and small – are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year — and many much sooner. It is no longer the question of ‘if’ data must be protected, but ‘how’ to achieve sustainable data protection. Many organizations still look at PCI DSS controls in isolation and don’t appreciate that they are inter-related – the concept of control lifecycle management is far too often absent. This is often the result of a shortage of skilled in-house professionals – however, in our experience, internal proficiency can be dramatically improved with lifecycle guidance from external experts.”

As an example, a financial services firm seeking exemption from the Wi-Fi requirements of PCI DSS was surprised to learn that it did in fact have a wireless network operating in its building – this lack of knowledge causing it to fail. The IT admin had got tired of walking from the server room in the basement to the IT department on the third floor, and so had installed a router to access the servers from his desk.

Troy Leach, chief technology officer for the PCI Security Standards Council said: “The report highlights the challenges organizations have to consistently maintain security controls on an ongoing basis, leaving their cardholder data environments vulnerable to attack. This trend was a key driver for changes introduced in PCI Data Security Standard version 3.2., which focus on helping organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process.”

About the report

Similar to Verizon’s Data Breach Investigations Report series, the 2017 PSR is based on casework with a focus on financial services (47.5 percent); IT services (22.3 percent), hospitality (15.1 percent) and retail (14.4 percent). Geographies include the Americas (42.4 percent), Europe (28.1 percent) and the Asia-Pacific region (29.5 percent).

Related News

  • Case Studies

    Commonwealth day

    by Mark Rowe

    The umbrella group the Security Commonwealth is holding a gathering of members next month, to talk of where the body can and…

  • Case Studies

    Super Recogniser skills

    by Mark Rowe

    Here is the latest from the Association of Super Recognisers. It’s the professional body representing those who possess ‘Super Recogniser’ skills around…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing