Navigation

Businesses failing to comply with PCI DSS security standards: Verizon and Banktech India News Network, 9/29/2011 10:55:29 AM

Oct 11, 2011

Businesses failing to comply with PCI DSS security standards:Source: Verizon and Banktech India News Network, 9/29/2011 10:55:29 AM
Too many businesses are struggling to comply with payment card security standards, putting consumers’ confidential information at risk, according to a report by IT services and solutions provider Verizon. Te report for a second year in a row found compliance lacking on the payment card security front.

According to the Verizon Payment Card Industry Compliance Report, most businesses that accept credit or debit cards, or both, continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). As a result, they are at greater risk of losing confidential customer information and falling victim to credit-card fraud.

Businesses are failing to maintain compliance even though they face steep penalties, including fines and increased transaction fees from the credit card brands. Businesses also now face pressure from their partners and customers to demonstrate continued compliance.

In addition to analyzing the overall current state of compliance with the PCI DSS, the report examines how well organizations comply with the 12 specific PCI requirements and provides recommendations that organizations can implement to help them earn and maintain compliance.

“We had hoped to see more organizations complying with the PCI standard, since we believe that compliance will ultimately improve the security posture of organizations and in all likelihood lead to fewer breaches,” said Wade Baker, director of risk intelligence, Verizon. “By reviewing this report, organizations can see where to focus their efforts and implement our recommendations for helping to accelerate PCI compliance. Our end goal is a safer credit-card environment for consumers and businesses.”

The report is based on findings from more than 100 PCI DSS assessments conducted by Verizon’s team of PCI Qualified Security Assessors in 2010, as well as data gathered by Verizon’s Investigative Response group while investigating real-world payment card data breaches. Additionally, the Verizon Risk Intelligence team overlaid the assessment findings with data-breach cases from the 2011 Verizon Data Breach Investigations Report, resulting in a richer, more thorough data set.

The assessments include data from organizations based in the U.S., Europe and Asia, representing for the first time the global nature of the PCI standard. Key Findings Top findings from the 2011 Verizon Payment Card Industry Compliance Report include:
• While the compliance situation has neither worsened nor improved, it is still “disappointing.” Only 21 percent of organizations were fully compliant during the initial audit. The report notes that the difficulty in achieving compliance, along with overconfidence, complacency and the need to focus on other compliance and security issues are among the possible reasons for the widespread PCI noncompliance.
• Lack of PCI compliance continues to be linked to data breaches. The report demonstrated again this year that breached organizations are more likely not to be PCI compliant and are more likely to suffer from identity theft and fraud issues.
• Organizations struggle with key PCI requirements. Organizations struggled the most to comply with requirements 3 (protect stored cardholder date), 10 (track and monitor access), 11 (regularly test systems and processes), and 12 (maintain security policies), all of which are directly linked to protecting cardholder data.
• Failure to prioritize compliance efforts often means high-risk security threats are ignored. Launched in 2009, the Prioritized Approach was created to help organizations identify and reduce risk to cardholder data and to ease the annual PCI process. The report found that rather than using a risk-based approach to PCI compliance, organizations instead rely on the PCI DSS for guidance. As a result, many organizations are ignoring security threats with the highest risk and potential for the largest negative impacts.
• PCI standard offers protection against the most common attack methods. Malware and hacking are the most predominant methods used to gain access to cardholder data. Several overlapping PCI requirements are aimed at protecting against these attack methods.

Recommendations for Meeting Compliance Based on extensive analysis, Verizon offers the following recommendations to help organizations meet their PCI compliance goals:

Treat compliance as an everyday, ongoing process. Compliance requires continuous adherence to the standard. This means a daily log review, weekly file-integrity monitoring, quarterly vulnerability scanning and annual penetration testing. To achieve this, Verizon recommends that an internal PCI “champion” ensure that compliance becomes part of daily business activities.

Self-validate very carefully – or not at all. Level 1 and 2 merchants -- who process the highest volumes of cardholder transactions --are allowed to assess themselves against the standard. Due to the numerous issues and conflicts of interest this can cause, Verizon highly recommends that an objective third party validate the scope of the assessment or perform the testing.

Prepare to have the bar raised. In October 2010, the PCI Security Standards Council announced PCI DSS version 2.0. This version requires a more stringent executive summary and validation of methodology for scope definition. Organizations, many of which are having severe issues complying with the existing standards, need to quickly get ready for the new version.

PREVIOUS POSTS
May 03.11 | Sony data breach update reveals 'bad practices' By Emily Chung, CBC News

The data breach affecting Sony Online Entertainment's 24.6 million accounts is linked to a previously announced cyberattack on Sony's PlayStation Network and Qriocity entertainment service, which affected the personal information of more than 77 million users. Thomas Peter/Reuters read more

Mar 11.11 | Assume you’re always under attack’: experts By: Liam Lahey On: 11 Mar 2011 For: ComputerWorld Canada

Enterprises must make a conscious decision about what information we’re prepared to lose, said an exec with security vendor Symantec. Why companies are missing the mark with security risk management read more

Oct 26.10 | ‘Spear-Phishing’ Attacks Keep on Giving by Kim Zetter, wired.com

‘Spear-Phishing’ Attacks Keep on Giving

* By Kim Zetter read more

Sep 16.09 | Web server attacks, poor app patching make for nasty mix Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats By Gregg Keizer September 15, 2009 03:44 PM ET

Web server attacks, poor app patching make for nasty mix
Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats
By Gregg Keizer
September 15, 2009 03:44 PM ET read more

Jul 02.09 | Heartland breach cost $12.6 million, CEO says

By Robert Westervelt, News Editor 07 May 2009 | SearchFinancialSecurity.com

Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems. read more

Apr 20.09 | RBS, Heartland no longer PCI compliant

RBS, Heartland no longer PCI compliant

By Dan Goodin in San Francisco • Posted in Security, 13th March 2009 21:40 GMT

Visa on Friday alerted the world that RBS WorldPay and Heartland Payment Systems are not on its list of payment card processors who are in good standing with industry-mandated standards for data security.

The move follows announcements by both companies that they experienced data breaches that exposed details for a large number of credit cards to criminal hackers. RBS said the security lapse exposed 1.5 million cards. Heartland has yet to say how many cards were affected.
read more

Sep 30.08 | FAQ: Clickjacking -- should you be worried? Nearly all browsers are vulnerable to this new attack class, but details are scarce!

read more

Jul 25.08 | Credit-card fraud probe targets Pearson's self-service kiosks

An investigation of suspected credit-card fraud at Toronto's Pearson airport is now concentrating on the security of its 150 self-service check-in kiosks. read more

Feb 25.08 | MONERIS SOLUTIONS LAUNCHES NEW E-PHILANTHROPY INITIATIVE WITH C.N. WYLIE GROUP!

Moneris’ new eSELECTplus® payment tool will be used with Wylie’s Helpforcharities.com Web site so organizations can easily accept electronic contributions and purchases online
read more

ARCHIVE