GS Logo
The Green Sheet, Inc

Please Login

Banner Ad
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Closing the door to backdoor breaches

News

Industry Update

Verizon study calls for improved PCI security

Marketplace Fairness Act to even score online, offline

Congressional payments caucus a positive for industry

CFPB takes on consumer lenders, card market

Transact 15 highlights global trends in payments

Features

Countering affiliate, aggregation fraud

Selling Prepaid

Innovation in gift card exchanges

Views

NACHA seeks seat at mobile payments tabl

Patti Murphy
ProScribes Inc

Mobilizing the sales force

What Sweden can teach us about the future of payments

Kirsty Tull
BillPro

Education

Street SmartsSM:
Let's share stories, grow our businesses together

Jeffrey I. Shavitz
Charge Card Systems

Exiting your business

Vicki M. Daughdrill
Small Business Resources LLC

Apple Pay & Samsung Pay Contrast

Differentiate and build trust to stand out

Jeff Fortney
Clearent LLC

Oral promises and ISO contracts

Adam Atlas
Attorney at Law

Company Profile

Field Guide Enterprises

New Products

All-in-One Mobile POS app

PayStand
PayStand

Remote device management for IoT era

SUSIAccess 3.0
AdvanPOS Technology Co., Ltd.

Inspiration

Let go or get dragged

Departments

Readers Speak

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

April 13, 2015  •  Issue 15:04:01

previous next

Verizon study calls for improved PCI security

The Verizon 2015 PCI Compliance Report is Verizon Communications' fourth and most extensive study of global trends in payment card security. Highlights include a review of Payment Card Industry (PCI) Data Security Standard (DSS) baseline requirements and a first-time focus on sustainable security practices.

The study explores why four out of five companies fall out of compliance after passing their PCI audits. Additionally, two thirds of the companies studied used incomplete or inadequate test scripts for their in-scope security systems.

Council sounds wake-up alarm

The PCI Security Standards Council, established in 2006 by American Express Co., Discover Financial Services, JCB International Credit Card Co. Ltd., MasterCard Worldwide and Visa Inc., is an open global forum focused on developing, managing, educating, and raising awareness of the PCI DSS for increased payment data security.

Stephen W. Orfei, the PCI SSC's General Manager, called the Verizon report "a wake-up call for every business that cares about payment security," adding that despite overall progress, businesses still have a long way to go in prioritizing and implementing payment security.

Orfei acknowledged that there is no "silver bullet" to preventing security breaches and urged companies to take a "multilayered approach to security" by managing access, strengthening security at the POS and remaining vigilant to the evolving threat landscape.

Report highlights

The report noted a global increase in credit card spending, predicting that total world card payments will exceed $20 trillion in 2015. The PCI DSS provided the framework for the report's quantified analysis. Following are three takeaways from the report.

  1. Compliance is up: Overall PCI compliance increased between 2013 and 2014 for 11 of the 12 PCI DSS requirements, with an average increase of 18 percent per business.
  2. Sustainability is low: Fewer than one third (28.6 percent) of companies retained PCI compliance in the 12 months following successful validation.
  3. Data security is still inadequate: The PCI DSS is an industry-wide minimum acceptable standard, not the pinnacle of payment card security, and PCI compliance should be seen as part of a comprehensive information security and risk-management strategy.

Requirement-by-requirement analysis

The report examined all 12 of the PCI DSS requirements: maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining anti-virus tools, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems and maintaining security policies.

Each requirement was reviewed according to its role in a comprehensive security strategy. The report also examined newer versions of each requirement that reflect emerging technologies and the evolving threat environment.

For example, Requirement 2 prohibits using default passwords or security parameters. This requirement has been affected by cloud and virtual technologies.

"Requirement 2 is one of the requirements most affected by the emergence of virtualization and cloud," the report stated, referring to technologies that simplify information technology (IT) infrastructures. The introduction of new technology can pose challenges to IT professionals tasked with separating in-scope and out-of-scope systems that coexist on the same physical server.

Fraud may escalate in CNP sphere

Orfei noted that the U.S. transition to EMV (Europay, MasterCard and Visa) chip technology will make 2015 a pivotal year in payments. His tone of cautious optimism is reflected in Verizon's report, which references the coming Oct. 1, 2015, liability shift for POS terminals, and Oct. 1, 2017, for automated fuel dispensers. The report pointed out that EMV is not a panacea, and suggested that experience gained from other countries shows that it displaces, rather than eliminates fraud.

EMV cards may initially increase the security of card-present transactions, and "attackers may focus their attention on 'card not present' (CNP) transactions, including online shopping," the report stated. The report also noted that banks and card issuers are developing new methods of encryption, tokenization and behavioral analytics to enhance the security of e-commerce transactions.

Becoming, remaining compliant

In addition, Verizon's 2015 report explored why companies fail to sustain PCI compliance – in many cases for less than a year after achieving successful audits.

Verizon noted the problems stem from failure to build robust procedures, which need to be not only built, but also managed and maintained, and failure to see an assessment as a snapshot that captures only a moment in time and demonstrates that a company and its selected sites, devices and systems assessed during sampling were deemed compliant.

Real payment card data security requires ongoing controls and vigilance beyond the PCI assessment. Orfei described passing an annual compliance assessment as a starting point for implementing a broader, vigilant and proactive security program. "Only a combination of people, process and technology, and a focus on making security a 'business-as-usual' practice will help thwart these constant threats," he said.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services