GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

The EMV clock is running

News

Industry Update

Card acceptance at pot shops poised to rise

Verizon defends the PCI DSS

SEAA welcomes voice of payments

USPS weighs plunge into crowded GPR pool

Tradeshows usher in new payments era

Features

The Mobile Buzz: BLE, Taco Bell and the mobile cornucopia

Flexibility in work, not just in service

Views

Things are not always what they seem

Brandes Elitch
CrossCheck Inc.

High risk processing:Best bets for success

Gene Lieb
Business Financial Resources

Education

Street SmartsSM:
Four ways to leverage machine intelligence

Dale S. Laszig
DSL Direct LLC

Help merchants sleep better at night

Adam Moss
Charge Card Systems Inc.

Bolster skills before you need them

Jeff Fortney
Clearent LLC

Hiring employees – Part 2

Vicki M. Daughdrill
Small Business Resources LLC

Company Profile

Meritus Payment Solutions

New Products

Enterprising mPOS

ROAMmcm 5
ROAM

Automatic reconciliation

XiRecon
paymetric

Inspiration

Little changes, big results

Departments

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

March 10, 2014  •  Issue 14:03:01

previous next

Verizon defends the PCI DSS

The Payment Card Industry (PCI) Data Security Standard (DSS) has come under criticism lately as high profile data breaches continue to expose flaws in retailers' data security systems. But a report issued by telecommunications firm Verizon Wireless concluded that the PCI DSS is working.

In the Verizon 2014 PCI Compliance Report, the researchers acknowledged the global standard is imperfect in entirely safeguarding sensitive payment data. "Some even regard the DSS, even in its latest 3.0 guise, as taking fundamentally the wrong approach to security," Verizon said. Then it asked a rhetorical question: "But is it effective in achieving security?" It answered the question with, "Our evidence suggests it is." Verizon bases that opinion on the over 4,000 security assessments it conducted for 500 clients. Verizon has a qualified security assessment team of 550 professionals, it said.

Responses to criticisms

Verizon cited Nilson Report research from August 2013 that said card fraud cost the global payments market over $11 billion in 2012. Verizon added that the frequency of fraud schemes that the PCI DSS was designed to avoid is in fact growing. And yet most businesses are not fully compliant at the time of assessment.

Verizon said that only 51.1 percent of the companies it had audited had passed seven of the 12 requirements of the PCI DSS; and only 11.1 percent of said companies had passed all 12.

Verizon addressed some of the criticisms leveled at the PCI DSS. One concern is that the standard promotes compliance as a test to be passed and forgotten, which distracts companies from focusing on improving security. Verizon responded by stating that breached businesses were less likely to be PCI DSS compliant than unaffected companies. It also said businesses improve their chances of not being breached by having the standard in place, and of minimizing the damage of a breach should one occur.

Another common complaint leveled at the standard is that it is too cumbersome and slow moving in relation to the quickly evolving threat landscape and nimble fraudsters ready to try new tactics. Verizon countered that the PCI DSS is meant to be a set of baseline security protocols. "[A]chieving compliance with any standard is simply not enough organizations must take responsibility for protecting both their reputation and their customers," the company said.

Verizon added that most attacks on networks are of the simple variety, with 78 percent of hacking techniques considered low or very low in sophistication. "Our DBIR [data breach investigations report] research shows that while perpetrators are upping the ante trying new techniques and leveraging far greater resources less than 1 percent of the breaches use tactics rated as 'high' on the VERIS [Verizon's data breach analysis database] difficulty scale for initial compromise," Verizon said.

Recommendations

The newest version of the standard, PCI DSS 3.0, went into effect Jan. 1, 2014. Businesses have until Jan. 1, 2015, to implement it. Verizon admitted that the updated standard has new requirements and clarifications to version 2.0 that will take time for businesses to understand and implement, and this will result in more organizations being out of compliance.

"Our data shows that there's an initial dip in compliance whenever a major update to the standard is released so organizations will have to put in additional effort to prepare for achieving compliance with DSS 3.0," Verizon said.

The firm offered five approaches to help businesses deal with their PCI DSS compliance obligations:

  1. Don't leave compliance to information technology security teams, but enlist application developers, system administrators, executives and other staff in helping further along the process.
  2. Embed compliance in everyday business practices so that it is sustainable.
  3. Integrate compliance programs into enterprise-wide governance, risk and compliance strategies.
  4. Think of compliance as an opportunity to improve overall business processes, rather than as a burden.
  5. Learn how to reduce the scope of organizations' compliance responsibilities, chiefly by figuring out how to store less data on fewer systems.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios