According to the latest report by Verizon, every organization that suffered from a data breach during 2010 to 2016 wasn’t fully PCI DSS compliant. Is yours?
4. “
The Payment Card Industry Data Security
Standard (PCI DSS), is a set of security
guidelines applicable to all organizations
that accept, store, and process credit card
information.
7. PCI DSS Compliance
○ The PCI DSS is comprised of 12 key requirements that any website dealing
with payment cards must adhere to.
○ The Verizon 2017 Payment Security Report clearly outlines the relation
between PCI DSS compliance and data breaches
○ Interestingly, almost all the victimized companies that Verizon analyzed
between 2010 and 2016 were found have violated the PCI DSS at the time
of their breach.
○ Even more interestingly, the report indicates that 55.4% remain fully PCI
compliant one year after their preliminary assessment.
○ These two are the key findings of the 60-page long Verizon 2017 Payment
Security Report – the ‘highlights’ if you may.
8. • However, there’s no need to get overly pessimistic by
these numbers. There is some good news, too.
So, which one would you like to hear first — good news
or bad news?
Okay, let’s go through some good news first.
10. The report states that 55.4% of companies in 2016
remained fully PCI compliant one year after their
preliminary assessment.
This number may sound a little on the downside, but
it’s not. 55.4% is a massive improvement over the
48.4% recorded in 2015.
Compliance on
the rise
11. One of the 12 PCI DSS requirements is NOT TO use
default vendor-supplied credentials.
Going by Verizon’s report, 81.3% of organizations
heed this requirement – an encouraging sign
indeed.
Default
credentials are
a thing of the
past
12. If there is any sector that needs to comply with the
PCI DSS more than others, it’s the finance sector
Almost 60% of financial services organizations fall
within the boundaries of PCI DSS.
Finance sector
leading by
example
13. Another key finding of the report was the rise in
customer awareness.
The report states “66% say they would be unlikely to
do business with an organization that experienced a
breach where their financial and sensitive information
was stolen.
Now let’s get to the bad news. The part you should
have a close look at.
Customers
getting savvier
15. The report demonstrates a clear link between PCI DSS
compliance and data breaches.
The organizations that are fully PCI compliant have very
low chances of being the victim of a data breach.
The love-hate
relationship
between data
breaches and
PCI compliance
16. • Speaking of which Rodolphe Simonetti, Verizon’s global managing
director for security consulting said
“There is a clear link between PCI DSS compliance and an
organization’s ability to defend itself against cyberattacks, [While] it is
good to see PCI compliance increasing, the fact remains that over 40
percent of the global organizations we assessed – large and small –
are still not meeting PCI DSS compliance standards. Of those that pass
validation, nearly half fall out of compliance within a year — and many
much sooner.”
17. The report demonstrates a clear link between PCI DSS
compliance and data breaches.
The organizations that are fully PCI compliant have very
low chances of being the victim of a data breach.
The love-hate
relationship
between data
breaches and
PCI compliance
18. An important part of the 12 requirements is the
‘Security Testing.’
This requires the organizations to test their security
systems and processes under some specific guidelines.
Unfortunately, only 71.9% of organizations are
compliant with this requirement.
Security
Testing: Needs
Improvement
19. To protect your online business against potential data
breaches, you need to constantly track and monitor
access – that’s actually rule 10 of the PCI DSS. 91.9% of
the companies assessed after a data breach were found
to be disregarding this requirement.
Now that you know the significance that PCI DSS
requirements hold, we hope that you will comply with
(or at least think about) the requirements.
Tracking and
Monitoring: A
bluntly ignored
requirement
32. 12. Maintain a policy that addresses information security for all
personnel
33. And if you’re feeling particularly motivated and want to dig in deep, you can learn
more about these requirements on Payment Security Council’s official website.
34. 34
THANKS!
If you have any questions about this document please don’t hesitate to
contact us at:
https://cheapsslsecurity.com/blog/
https://twitter.com/sslsecurity
https://www.facebook.com/CheapSSLSecurities
https://plus.google.com/+Cheapsslsecurity