Your SlideShare is downloading. ×
0
Data from the Verizon 2014 PCI Compliance Report
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Data from the Verizon 2014 PCI Compliance Report

361

Published on

Explore the data around 12 specific PCI DSS requirements—and see how compliance is changing year over year. Learn more and download the full report here: http://vz.to/PCIreport2014

Explore the data around 12 specific PCI DSS requirements—and see how compliance is changing year over year. Learn more and download the full report here: http://vz.to/PCIreport2014

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
361
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 11.1% 4 9 IN2013,JUST 11.1% OFTHEORGANIZATIONS WEASSESSEDWERE FULLYPCI-DSS COMPLIANT 1 2 3 5 6 78 1 Installandmaintainafirewall configurationtoprotectcardholder data. 2 Donotusevendor-supplieddefaultsfor system passwordsandothersecurity parameters. 3 Protectstoredcardholderdata. 4 Encrypttransmissionofcardholder dataacrossopen,publicnetworks. 5 Useandregularlyupdateanti-virus softwareorprograms. 6 Developandmaintainsecuresystems andapplications. 7 Restrictaccesstocardholderdataby businessneed-to-know. 8 AssignauniqueIDtoeachpersonwith computeraccess. 9 Restrictphysicalaccesstocardholder data. 10 Trackandmonitorallaccesstonetwork resourcesandcardholderdata. 11 Regularlytestsecuritysystemsand processes. 12 Maintainapolicythataddresses informationsecurityforallpersonnel. Download the Verizon 2014 PCI Compliance Report at verizonenterprise.com/pcireport/2014 0%compliant Your brand and reputation depend on data security PCIDSSrequirements. DatafromtheVerizon2014PCIComplianceReport Peopledobusinesswithcompanies theytrust.Yetwefindthatonlyabout oneinnine(11.1%)oforganizations isfullycompliantatthetimeoftheir baselineassessment. Shouldabreachoccur,morethanjust dataandtrustislost—companies facebusinessinterruption, financial penalties,andlostrevenue.In2012, cardfraudresultedingloballossesof $11.27billion.1 Withsomuchridingonyourcustomer data,securingitismoreimportant thanever. 1. The Nilson Report © 2013 2. Verizon 2013 Data Breach Investigations Report © 2014 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. 100%compliantCompliancescale 2 3 4 5 6 7 8 9 10 11 12 4 10 11 12 9 1 84.4% 73.3% 77.8% 84.4% 86.7% 73.3% 68.9% 73.3% 82.2% 97.8% 95.6% 80.0% 80.0% 51.1% 80.0% 55.6% 91.1% 97.8% 95.6% 93.3% 95.6% 95.6%93.3% 84.4% 82.2% 44.4% 80.0% 93.3% 88.9% 88.9% 80.0% 84.4% 88.9% 80.0% 73.3% 66.7% 84.4% 82.2%93.3%93.3% 88.9% 71.1% 84.4% 86.7% 73.3% 73.3% 75.6%100% 73.3%53.3% 93.3% 100% 75.6% 77.8% 51.1% 93.3% 80.0% 84.4% 73.3% 100% 95.6% 77.8% Only 53.3% of organizations complied with not using vendor default passwords. Many struggled with the subcontrols for 2.2.2 — just 50.5% complied with both. In2013,80.0%oforganizationswere compliant—secondin our study. All that failed Requirement 4 failed 4.1.a, data encryption over unsecure networks. In 2012, only a third (34.0%) of companies’ anti-virus measures met all the controls. By 2013, compliance had jumped to 84.4%. Only13.2%oforganizationsmetallthe controlsonthestorageofcardholder datain2012.In2013,thisroseto55.6%. Over 70% of organizations complied with 80–99% of controls in 2013 (Up 45 percentage points from 2012). +180% * In 2013, 11.1% of companies were fully compliant at the time of their initial baseline assessment — up from 7.5% in 2012. +48% The trend is promising, with 46.9% of organizations compliant. But challenges remain with effective log management. This helps provide early warning of attacks and minimize data loss should a breach occur. 35% of breaches involved physical attacks, and POS devices are a common target.2 Between 2012 and 2013, compliance with Requirement 9 almost tripled, to 75.6%. From 2012 to 2013, compliance doubled, up to 35.6%. Still, organizations continue to fail at implementing two important controls — lock accounts after no more than six failed logins and expire idle sessions within 15 minutes — making it easier for criminals to hijack legitimate user accounts. Organizations are realizing that effective security requires company-wide vigilance. Compliance with Requirement 12 jumped from 17.0% in 2012 to 55.6% in 2013. Average compliance is up from 52.9% in 2012 to 85.2% in 2013. +61% Global losses from payment card fraud are growing. The Nilson Report estimated losses in 2012 were $11.27B. $11.27 billion Requirement 11 [Regular testing of security systems and processes] remains in last place in 2013. But compliance improved, from 11.3% in 2012 to 40.0% in 2013. In 2013, only 12.5% of organizations that suffered a data breach were compliant at the time of the breach — compared to an average of 46.7% for all organizations. It’s good practice to limit access to cardholder data on a need-to-know basis. Most organizations realize it’s not acceptable to allow users access to all the data, and as a result, compliance has jumped to 77.8%. In 2013, only 16.4% of organizations that suffered a data breach were compliant, compared to an average of 53.3% for all organizations assessed.This suggests a correlation between non-compliance and data breaches. on2012

×