The Green Sheet Online Edition
April 13, 2015 • Issue 15:04:01
Verizon study calls for improved PCI security
The Verizon 2015 PCI Compliance Report is Verizon Communications' fourth and most extensive study of global trends in payment card security. Highlights include a review of Payment Card Industry (PCI) Data Security Standard (DSS) baseline requirements and a first-time focus on sustainable security practices.
The study explores why four out of five companies fall out of compliance after passing their PCI audits. Additionally, two thirds of the companies studied used incomplete or inadequate test scripts for their in-scope security systems.
Council sounds wake-up alarm
The PCI Security Standards Council, established in 2006 by American Express Co., Discover Financial Services, JCB International Credit Card Co. Ltd., MasterCard Worldwide and Visa Inc., is an open global forum focused on developing, managing, educating, and raising awareness of the PCI DSS for increased payment data security.
Stephen W. Orfei, the PCI SSC's General Manager, called the Verizon report "a wake-up call for every business that cares about payment security," adding that despite overall progress, businesses still have a long way to go in prioritizing and implementing payment security.
Orfei acknowledged that there is no "silver bullet" to preventing security breaches and urged companies to take a "multilayered approach to security" by managing access, strengthening security at the POS and remaining vigilant to the evolving threat landscape.
The report noted a global increase in credit card spending, predicting that total world card payments will exceed $20 trillion in 2015. The PCI DSS provided the framework for the report's quantified analysis. Following are three takeaways from the report.
- Compliance is up: Overall PCI compliance increased between 2013 and 2014 for 11 of the 12 PCI DSS requirements, with an average increase of 18 percent per business.
- Sustainability is low: Fewer than one third (28.6 percent) of companies retained PCI compliance in the 12 months following successful validation.
- Data security is still inadequate: The PCI DSS is an industry-wide minimum acceptable standard, not the pinnacle of payment card security, and PCI compliance should be seen as part of a comprehensive information security and risk-management strategy.
The report examined all 12 of the PCI DSS requirements: maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining anti-virus tools, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems and maintaining security policies.
Each requirement was reviewed according to its role in a comprehensive security strategy. The report also examined newer versions of each requirement that reflect emerging technologies and the evolving threat environment.
For example, Requirement 2 prohibits using default passwords or security parameters. This requirement has been affected by cloud and virtual technologies.
"Requirement 2 is one of the requirements most affected by the emergence of virtualization and cloud," the report stated, referring to technologies that simplify information technology (IT) infrastructures. The introduction of new technology can pose challenges to IT professionals tasked with separating in-scope and out-of-scope systems that coexist on the same physical server.
Fraud may escalate in CNP sphere
Orfei noted that the U.S. transition to EMV (Europay, MasterCard and Visa) chip technology will make 2015 a pivotal year in payments. His tone of cautious optimism is reflected in Verizon's report, which references the coming Oct. 1, 2015, liability shift for POS terminals, and Oct. 1, 2017, for automated fuel dispensers. The report pointed out that EMV is not a panacea, and suggested that experience gained from other countries shows that it displaces, rather than eliminates fraud.
EMV cards may initially increase the security of card-present transactions, and "attackers may focus their attention on 'card not present' (CNP) transactions, including online shopping," the report stated. The report also noted that banks and card issuers are developing new methods of encryption, tokenization and behavioral analytics to enhance the security of e-commerce transactions.
Becoming, remaining compliant
In addition, Verizon's 2015 report explored why companies fail to sustain PCI compliance – in many cases for less than a year after achieving successful audits.
Verizon noted the problems stem from failure to build robust procedures, which need to be not only built, but also managed and maintained, and failure to see an assessment as a snapshot that captures only a moment in time and demonstrates that a company and its selected sites, devices and systems assessed during sampling were deemed compliant.
Real payment card data security requires ongoing controls and vigilance beyond the PCI assessment. Orfei described passing an annual compliance assessment as a starting point for implementing a broader, vigilant and proactive security program. "Only a combination of people, process and technology, and a focus on making security a 'business-as-usual' practice will help thwart these constant threats," he said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.