Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
One of the scariest stats that we have read recently is the following:
“Of all the companies investigated by our forensics team over the last 10 years following a breach, not one was found to have been fully PCI DSS compliant at the time of the breach.”
The above graph shows how companies approached their PCI Compliance in 2014 and it puts an accent on their behaviour by trying to compare their “at interim assessment processes" against their reaction to data breaches. The chart indicates how most of PCI DSS requirements register a lower level of compliance after the security breaches.
This information is revealed in the PCI Compliance Report 2015 that was recently published by the security experts team at Verizon, the U.S. broadband and telecommunications giant that produces an annual report about the PCI data security standard.
We can sum up the content of this report by looking at the main takeaways just as they are mentioned in the report itself.
Compliance is up
11 of the 12 requirements of PCI DSS Compliance experienced an increase of 18% between 2013 and 2014. Requirement 8 (Identify and authenticate access to system components) is the one that has shown the biggest growth - from 33% to 69% - while requirement 11 (Regularly test security systems and processes) is the only one that dropped (just a few percentage points, from 40% to 33%).
Sustainability is low
In 2014, less than a year after previously achieving validation from Verizon, only the 28.6% of companies were still found to be fully PCI DSS compliant. This is due to the absence of robust procedures in place for achieving and maintaining compliance; furthermore a compliance assessment demonstrates the achievement of compliance at a particular moment in time. Companies should build their own framework with security policies, procedures, and testing mechanisms, with the intention to increase the chance of being PCI compliant continually.
Data Security is still inadequate
The current security measures are not able to stop attackers and in most cases they are even unable to slow them down. PCI DSS is a baseline, and should not be seen as a self living standard sufficient to be secure, but as part of an information security risk-management strategy. Companies can spot important weaknesses and gaps thanks to a PCI Compliance and fix them, but this won’t give them a 100% guarantee of protection to their customer’s data.
“Actually being PCI DSS compliant means achieving and maintaining all the PCI DSS controls throughout the year.”
This means that a company that describes itself as “PCI Compliant” has gone through a validation process, but it might still not be compliant. That’s because either the PCI DSS validation assessment didn’t identify all of the non-compliant areas, or because that particular company doesn’t perform compliance scans on a regular basis.
Therefore, we may say that the term “secure” could be compared to the Chimera in Greek mythology, a metaphorical expression that we could use for a wildly imaginative situation. In the case of security, the delusional aspect is that it’s almost impossible to achieve it. Only those company that invest in having a complete knowledge and immediate answers to all threats, would be able to define themselves as secure.
Customers trust companies when they complete a purchase. You are requested to provide the service or products that you promise, but also to keep their credit card and personal details safe.
Companies have to look into the sustainability of security controls and ongoing risk management.
One of the main statements that we find in this report, is that for a company a scope-reduction strategy is the most important premise for a good approach to compliance. The complexity of systems and processes in place for storing, processing, transmitting and accessing CHD (CardHolder Data) and their understanding, is the key to defining and cutting the scope to achieve and maintain compliance.
”Cutting the DSS scope will result in lower total cost of ownership, make maintenance of security controls easier, and reduce risk by limiting the attack surface”.
Achieving and monitoring compliance has a huge impact on the costs of organizations; those costs are growing year after year, as described by the chart below, and the only way to reduce them is to have a solid PCI Compliance management strategy in place.
Keep these point in mind for the future:
Did you experience a data breach in 2014? Do you know that the PCI DSS 3.1 is going to be out soon? Advantio is a PCI Compliance Qualified Assessor able to analyze your system and find out what you need to do to achieve compliance and maintain it continually. To find out how, contact us.
Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.
My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.