Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PCI Compliance: How compliant is your payment security?

931 views

Published on

Ever wonder how you stack up on PCI compliance? Hear from the payment security experts behind the latest report and get the insight you need to manage risk and improve payment security. Discover the challenges organizations like your face and how to improve your security controls.
To learn more, visit
http://www.verizonenterprise.com/verizon-insights-lab/payment-security/2017/

Published in: Business
  • Be the first to comment

  • Be the first to like this

PCI Compliance: How compliant is your payment security?

  1. 1. Verizon 2017 Payment Security Report. Overview Webinar Thursday, September 7th
  2. 2. PROPRIETARY STATEMENT This document and any attached materials are the sole property of Verizon and are not to be used by you other than to evaluate Verizon’s service. © 2017 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners.
  3. 3. Please advance to the next slide where you can watch the video. The total slide deck is available for your reference after the video. Thank you.
  4. 4. 5 Payment Security Experts Rodolphe Simonetti Global Managing Director Security Assurance Consulting Verizon Enterprise Solutions Ron Tosto Global Sr. Manager Payment Security Practice Verizon Enterprise Solutions Franklin Tallah Senior Manager Payment Security Practice Verizon Enterprise Solutions Ciske Van Oosten Senior Manager Payment Security Practice Verizon Enterprise Solutions
  5. 5. Would you be more or less likely to do business with a company that had lost customers’ personal data?
  6. 6. You can’t afford to ignore payment security. 66% say they would be unlikely to do business with an organization that experienced a breach where their financial and sensitive information was stolen1. 1. Gemalto, Customer Loyalty Study, 2016
  7. 7. The 2017 Payment Security Report. • This report provides a thorough investigation of the challenges of securing customers’ payment data. • It examines the state of payment security, and looks at what needs to improve. • Based on our PCI assessments, the report explores compliance with PCI DSS in great detail, and is an invaluable resource for security and compliance professionals. 8
  8. 8. Click to edit Master title style Click to edit Master subtitle style What’s the difference between compliant and secure?
  9. 9. PCI DSS compliance doesn’t necessarily mean that you’re secure. But failing it means that you’re definitely not. Over the past 12 years, not a single breached organization we investigated was fully PCI DSS compliant at the time of the breach*. *Payment card data breaches investigated by the VTRAC | IR Team 7
  10. 10. 11 There’s good news: full compliance continued its upward progression.
  11. 11. 12 But still almost half of organizations analyzed failed to maintain compliance.
  12. 12. Our research shows that 45% of organizations fall out of PCI DSS compliance within nine months of validation.
  13. 13. 14 The control gap—the average percentage of controls organizations didn’t have in place—has increased in non-compliant companies.
  14. 14. These aren’t just a few insignificant rules. Many of the controls not in place are essential to mitigating security threats.
  15. 15. 17 Full Compliance The percentage of organizations achieving full compliance improved across all 12 Key Requirements compared with 2015. Requirement 11 (Security Testing) retained its traditional place at the bottom of the list in terms of full compliance (71.9%) Requirement 1 (Firewall configurations) showed the largest improvement in full compliance, increasing by 10.4pp.
  16. 16. 18 Five out of six of the worst performers are the same now as they were in 2013. Requirement 11 [Test security systems and processes] has been the perennial bottom of the pack, but in the last couple of years we’ve seen it lose last place to Requirement 4 [Protect data in transit]. Though Requirement 11 retains the dubious honor of last place when you look at full compliance.
  17. 17. IT services What can you do? • Use vulnerability scanning, penetration testing, file integration monitoring and intrusion detection to help identify and address weaknesses. What can you do? • Establish, update, and communicate effective security policies and procedures. • Align these with the results of regular risk assessments to help address any weaknesses. 3. Protect stored cardholder data 11.Regularly test security systems/processes 12. Maintain an information security policy Control gap What can you do? • When sensitive data has to be stored, encryption and strong hashing can dramatically reduce risk. But don’t store data unless it’s essential to. 45
  18. 18. Key requirement 11 29 of companies assessed after a data breach were not in compliance with Requirement 11* 83.6%
  19. 19. 23 The lifecycle of PCI DSS controls
  20. 20. 24 Terrifyingly short How secure is your password? How long would you make it if you were storing primary account numbers (PANs) in clear text? Much to their horror, during one assessment a QSA found an admin account with access to 70 million PANs protected by the weakest password we’ve ever seen—a single character! The operator’s defense was that it was a “special character”. QSA horror story
  21. 21. 25 The phantom router When auditing one organization, we were told that the requirements of PCI DSS governing Wi-Fi didn’t apply to them as they didn’t use it. But during the assessment, the QSA spotted an unsecured Wi-Fi network. The IT security team was shocked. After some investigating, it turned out that it wasn’t some paranormal activity. With the server room in the basement and the IT department located on the third floor, one IT admin was tired of traipsing up and down the stairs, so he had installed a router to access the servers from his desk. More slob than specter. QSA horror story
  22. 22. Keep your options open. Think of how your controls will adapt to changes in the business and/or IT environment. Resilience is key.
  23. 23. Make everyone aware of what they need to do. Assign roles, define responsibilities and verify that everyone understands what’s expected of them.
  24. 24. Keep the ultimate goal in mind. The point of payment security is to safeguard customer data, not just pass an assessment.
  25. 25. 29 Read the 2017 Payment Security Report to get the full picture: VerizonEnterprise.com/PaymentSecurity Contact us: Paymentsecurity@Verizon.com
  26. 26. Thank you. Q&A
  27. 27. Appendices
  28. 28. Full compliance 26 Based on VZ PCI assessments conducted in the 2017 Payment Security Report
  29. 29. 33 Average control gap Based on VZ PCI assessments conducted in the 2017 Payment Security Report
  30. 30. Full compliance 28 Based on VZ PCI assessments conducted in the 2017 Payment Security Report
  31. 31. Key requirements Install and maintain a firewall configuration This Requirement covers the correct usage of a firewall to filter traffic as it passes between internal and external networks, as well as traffic to and from more sensitive areas within the company’s internal networks. 1 29
  32. 32. Key requirements Do not use vendor- supplied defaults This Requirement covers the controls that reduce the available attack surface on system components by removing unneeded services, functionality, and user accounts, and by changing insecure vendor default settings. 2 30
  33. 33. Key requirements Protect stored cardholder data This Requirement covers the storage of CHD and SAD on system components, such as servers and databases. It states that all stored data must be protected using appropriate methods, no matter what type of system it’s stored in. And it must be securely deleted once no longer needed. 3 31
  34. 34. Key requirements Protect data in transit This Requirement is designed to protect cardholder data and sensitive authentication data transmitted over unprotected networks, such as the internet, where attackers could intercept it. 4 32
  35. 35. Key requirements Protect against malicious software This Requirement concerns protecting all systems commonly affected by malicious software against viruses, worms, and trojans. 5 33
  36. 36. Key requirements Develop and maintain secure systems This Requirement covers the security of applications, and particularly change management. It governs how systems and applications are developed and maintained, whether by the organization or third parties. It recognizes that the threat landscape is always changing, and compliance measures need to be adapted accordingly. 6 34
  37. 37. Key requirements Restrict access This Requirement specifies the processes and controls that should restrict each user’s access rights to the minimum they need to perform their duties—a “need-to-know” basis. 7 35
  38. 38. Key requirements Authenticate access This Requirement sets standards for managing user identities and authentication methods, including passwords. Before DSS 3.0, it was called “Assign a unique ID to each person with computer access”. 8 36
  39. 39. Key requirements 9 Control physical access This Requirement stipulates that organizations must restrict physical access to all systems in the DSS scope and all hard copies of CHD. 37
  40. 40. Key requirements 10 Track and monitor access to networks and cardholder data This Requirement covers the creation and protection of information that can be used for tracking and monitoring access to all systems in the DSS scope, including databases, network switches, firewalls and clients. 38
  41. 41. Key requirements 11 Test security systems and processes This Requirement covers the use of vulnerability scanning, penetration testing, file integrity monitoring, and intrusion detection to identify and assess weaknesses. 39
  42. 42. Key requirements 12 Maintain an information security policy This Requirement stipulates that organizations actively manage their data protection responsibilities by establishing, updating, and communicating security policies and procedures aligned with results of regular risk assessments. 40
  43. 43. Compliance by industry
  44. 44. Financial services 2. Do not use vendor supplied defaults What can you do? • Remove unnecessary services, functionality and user accounts. • Change the default username and passwords on all your devices. 11.Test security systems/ processes 12. Maintain an information security policy Control gap What can you do? • Use vulnerability scanning, penetration testing, file integration monitoring and intrusion detection to help identify and address weaknesses. What can you do? • Establish, update, and communicate effective security policies and procedures. • Align these with the results of regular risk assessments to help address any weaknesses. 42
  45. 45. Retail What can you do? • When sensitive data has to be stored, encryption and strong hashing can dramatically reduce risk. But don’t store data unless it’s essential to. What can you do? • Assign a unique username and password to each user. • Segment data and grant access on a need-to-know basis. What can you do? • Establish, update, and communicate effective security policies and procedures. • Align these with the results of regular risk assessments to help address any weaknesses. Control gap 3. Protect stored cardholder data 8. Authenticate access 12. Maintain an information security policy 43
  46. 46. Hospitality What can you do? • Simplifying and consolidating access control and its administration is key. • Train administrators to have a consistent understanding of “insecure” services, ports and protocols. What can you do? • Prevent and test for known weaknesses and common design or coding flaws. • Identify vulnerabilities and remediate against them by applying security patches. 1. Install and maintain a firewall configuration 3. Protect stored cardholder data 6. Develop and maintain secure systems and applications What can you do? • When sensitive data has to be stored, encryption and strong hashing can dramatically reduce risk. But don’t store data unless it’s essential to. Control gap 44

×