PCI Compliance Series: PCI and Data Breaches - Dispelling the Relationship Myth - Part 2 of 3
In my last article, I focused on why PCI Compliance shouldn’t equal complacency and discussed how some organizations are in danger of just "ticking the boxes" in order to comply by the most minimum requirements possible. However, this approach will offer little comfort in the aftermath of a breach. The message is clear – "if you value your business then value the information you retain – don’t become a victim of your own security neglect!"
Let’s take a step back for second... Are the critics right? Can PCI address evolving security issues?
Updates to PCI DSS, and other PCI Security standards, occur on a three-year cycle. Many critics argue that this isn’t regular enough to address the changing information security threat landscape and evolving factors such as:
- Advances in payment technology — e.g., mobile payments and increasingly sophisticated store cards;
- The adoption of cloud and virtualization technologies by companies looking to increase agility and cut costs;
- The increasing sophistication of hackers and the brute power they have at their disposal.
However, in reality updating the standards more frequently isn’t the answer. In fact, the timing of the updates has already shifted from the previous two-year cycle, in response to feedback that organizations needed more time to learn about and comply with new versions of the Standard. To enhance the maturity of the corporate information security management system, and the effectiveness of the control environment, organizations are encouraged to implement additional security controls beyond those prescribed in the PCI Security standards.
...Put simply is the lack of PCI Security to blame for data breaches?
According to the Verizon 2014 PCI Compliance Report, in most cases, payment card data breaches are not a failure of security technology, nor a failure of the Payment Card Industry Data Security Standard itself to specify a better list of security controls. Rather they stem from a failure by organizations to implement the appropriate compliance and security measures to offer effective, sustainable data protection.
Generally speaking, organizations are not aware of risks to card data they control. In addition, they do not know if their attempts to implement those security controls, required by the PCI Security standards are actually effective, as these are often not measured.
The Verizon 2013 Data Breach Investigations Report (DBIR) makes a clear case for the importance of effective authentication to system security. 76 percent of all network intrusions investigated exploited weak or stolen credentials. And in many cases these were very simple attacks using readily available password cracking tools. Organizations can close such vulnerabilities with straightforward measures; DBIR analysis suggests that simply using something other than single-factor username/password credentials would have likely thwarted 80 percent of the hacking attacks analyzed.
Our PCI research found that in 2013, 64.4 percent of the organizations we reviewed failed to restrict each account with access to cardholder data to just one user – limiting traceability and increasing risk. This would be simply resolved by correctly implementing and maintaining Requirement 8 of PCI DSS. This PCI Security requirement also helps close backdoors linked to old corporate accounts by requiring that accounts of former employees be disabled and promptly removed.
...If there is one universal PCI Data Security standard, then surely all verticals and geographical regions are equal in compliance?
This is not the case at all; in fact there are significant differences across the sectors and geographies.
Global losses from payment card fraud are growing — The Nilson Report estimates that they exceeded $11.2 billion in 2012. But it is not just cardholders that are affected by card fraud. When a company suffers a data breach and cardholder data is lost, they are likely to face remediation costs, notification costs, financial penalties from acquirers, and the loss of customer trust — leading to lost business.
Our research showed that between 2011 - 2013, nearly twice as many retailers (69.7 percent) as hospitality organizations (35 percent) were compliant with at least 80 percent of the controls in PCI DSS 2.0. This small insight into the verticals demonstrates the disparity between different industries -- we will explore this more in a later article, so keep watching the News Center for more information!
Region to region we saw distinct differences – however we have to remember that these are also due to significant differences in the maturity of payment technology infrastructure, breach notification laws, varying legal requirements and levels of adoption, as well as cultural differences. Historically, there are significant differences in the level of attention that various regions of the world received to promote compliance with the PCI Security standards, which also contributed to the geographic variation in compliance.
To summarize, in Europe, just 31.3 percent of organizations were compliant with at least 80 percent of controls, lagging behind North America (56.2 percent) and Asia-Pacific (75 percent).
So I hear you say...what does all of this mean to me and how can a PCI program be improved?
Watch out for my next article in which I will discuss how to put a PCI program into practice and what should be its most important aspects. In the meantime, remember…the proper deployment, maintenance and, ongoing education/awareness around data protection and security policies are critical for the successful ongoing implementation of PCI Security.
Learn more about how Verizon help companies manage risk and maintain brand reputations.
