Embed Size (px)
DESCRIPTION
Explore the data around 12 specific PCI DSS requirements—and see how compliance is changing year over year. Learn more and download the full report here: http://vz.to/PCIreport2014
Citation preview
11.1%
4
9
IN 2013, JUST
11.1%OF THE ORGANIZATIONS
WE ASSESSED WERE FULLY PCI-DSS
COMPLIANT
1
2
3
5
6
78
86.7%
95.6%
66.7%
82.2%
66.7%
80.0%88.9%
82.2%
73.3%
88.9%
66.7%
82.2%
73.3%
88.9%
80.0%88.9%
82.2%
66.7%
53.3%
60.0%
80.0%
64.4%
60.0%53.3%
80.0%
71.1%
71.1%82.2%
73.3%
64.4%
84.4%86.7%
91.1%86.7%
93.3%84.4%
93.3%
71.1%
86.7%
64.4%
80.0%68.9%
91.1%
86.7%
88.9%86.7%
77.8%
88.9%
86.7%
77.8%
88.9%
88.9%
77.8%
91.1%84.4%
88.9%
86.7%
88.9%
86.7%
91.1%84.4%
77.8%
77.8%77.8%
80.0%73.3%
73.3%75.6%
86.7%86.7%
73.3%
80.0%
86.7%
73.3%
86.7%86.7%
84.4%
86.7%
84.4%
86.7%
86.7%86.7%
75.6%
86.7%84.4%
84.4%
86.7% 84.4%84.4%
84.4%84.4% 86.7%
86.7%
86.7%86.7% 75.6%
82.2%
82.2%75.6%
97.8%
97.8%
97.8%
97.8%97.8% 91.1%
91.1%
93.3%95.6%95.6%
95.6%
95.6%
95.6%
95.6%
95.6%95.6% 95.6%
93.3%
95.6%
95.6%
97.8%
95.6%
97.8%95.6%
97.8%97.8%97.8%
97.8%95.6%
95.6%97.8%
95.6%
95.6%97.8%
97.8%
97.8%97.8%
95.6%97.8%
86.7%
95.6%
97.8%
95.6%97.8%
97.8%
91.1%
86.7%
95.6%
86.7%
95.6%95
.6%
88.9
%93
.3%
86.7
%
73.3
%
95.6
%
84.4
%
95.6
%95.6
%
77.8
%
95.6
%
80.0
%
73.3
%
77.8
%
84.4
%
77.8
%
82.2
%80.0
%
97.8
%82.2
%77
.8%
97.8
%84
.4%
82.2
%
95.6
%
95.6
%84
.4%82
.2%
84.4
%
93.3
%80
.0%
84.4
%
88.9%
82.2%
84.4%
82.2%
93.3%
93.3%
84.4%
93.3%
93.3%
93.3%
95.6%
86.7
%
95.6
%80
.0%
91.1
%
82.2
%
91.1
%
91.1
%84
.4%
91.1
%91
.1%
80.0
%93
.3%
95.6
%80
.0%
84.4
%82
.2%
88.9%
82.2%
82.2%
93.3%
93.3%
84.4%
93.3%
86.7
%
91.1
%84
.4%
91.1
%
84.4%
95.6%
91.1%
93.3%
93.3%
93.3%
93.3%
93.3%
93.3%
93.3%
93.3%
95.6%
95.6%
95.6%93.3%
93.3%
93.3%
73.3%
95.6%
91.1%93.3%
80.0%95.6%
95.6%
93.3%
93.3%
88.9%
80.0%80.0%
80.0%
82.2%97.8%
97.8%
91.1%97.8%100%100%97.8%
93.3%
93.3%
93.3%
84.4%
84.4%
97.8%
93.3%
100%
97.8%100%
91.1%
97.8%
97.8%
91.1%
91.1%
66.7%
66.7%
93.3%
93.3%
100%
100%100%
97.8%
97.8%
97.8%
97.8%
100%
88.9%
88.9%
93.3%93.3%93.3%93.3%
93.3%
95.6%
95.6%
93.3%93.3%
93.3%93.3%
93.3% 95.6%
95.6% 88.9%
88.9% 91.1%
91.1%
84.4%84.4%
84.4%
77.8%77.8%
84.4%80.0% 80.0%
84.4%
84.4%84.4%
84.4%
84.4%84.4%
84.4%84.4%
84.4%84.4%84.4%
91.1%86.7% 86.7%
91.1%
84.4%
95.6%95.6%
95.6%95.6%
86.7%
75.6%
86.7%77.8%
84.4% 84.4%84.4%
75.6%
86.7%
86.7%77.8%77.8%
84.4%
86.7%91.1%84.4%
91.1%
86.7%
86.7%
86.7%
86.7%
77.8%
86.7%75.6%
86.7%
80.0%
86.7%
84.4%
100%
100%
88.9%
84.4%
73.3%
75.6% 80.0%
77.8%
77.8%66.7%
82.2%
86.7%
75.6%
86.7%
82.2%
100%
84.4%
82.2%
88.9%
84.4%73.3%82.2%
66.7%
93.3%
75.6%68.9%
91.1%
75.6%82.2%
73.3%100%100%97.8%
97.8%
93.3%97.8%
93.3%95.6%
97.8%
100%100%
95.6%86.7%
91.1
%
95.6%95.6%93
.3%86
.7%
91.1
%84
.4%
93.3
%
84.4
%
93.3
%88
.9%
93.3
%86
.7%
84.4
%
86.7
%
93.3
%
82,2
%88
.9%
86.7
%93
.3%
82.2
%
84.4
%
71.1
%
75.6
%
75.6
%
84.4
%
77.8
%
68.9
%
91.1
%
88.9
%
84.4
%
91.1
%
82.2
%
91.1
%97
.8%
75.6
%
86.7%
82.2%
95.6%
86.7%
95.6%
86.7%
%6.5
788.9%82.2%
88.9%
91.1%
75.6%
82.2%
93.3%91.1%
88.9%88.9%
88.9%
91.1%
93.3%
88.9%
91.1%
86.7%
91.1
%
91.1%91.1%
91.1%
91.1
%
91.1%84.4%
91.1%
86.7%
97.8%
100%86.7%
97.8%
100%88.9%
97.8%95.6%
97.8%
95.6%97.8%
97.8%
95.6%97.8%97.8%
95.6%
88.9%95.6%
95.6%
95.6%
95.6%
93.3%
93.3%
93.3%93.3%
93.3%
93.3%91.1%
93.3%
93.3%
91.1%
91.1%
77.8%
88.9%
84.4%
88.9%
77.8%77.8%
91.1%
97.8%
88.9%
77.8%93.3%
97.8%93.3%
84.4%
1 Install and maintain a firewall configuration to protect cardholder data.
2 Do not use vendor-supplied defaults for system passwords and other security parameters.
3 Protect stored cardholder data. 4 Encrypt transmission of cardholder
data across open, public networks. 5 Use and regularly update anti-virus
software or programs. 6 Develop and maintain secure systems
and applications.7 Restrict access to cardholder data by
business need-to-know.8 Assign a unique ID to each person with
computer access.9 Restrict physical access to cardholder
data.10 Track and monitor all access to network
resources and cardholder data. 11 Regularly test security systems and
processes. 12 Maintain a policy that addresses
information security for all personnel.
Download the Verizon 2014 PCI Compliance Report at verizonenterprise.com/pcireport/2014
0% compliant
Your brand and reputation depend on data security
PCI DSS requirements.
Data from the Verizon 2014 PCI Compliance Report
People do business with companies they trust. Yet we find that only about one in nine (11.1%) of organizations is fully compliant at the time of their baseline assessment. Should a breach occur, more than just data and trust is lost — companiesface business interruption, financial penalties, and lost revenue. In 2012, card fraud resulted in global losses of $11.27 billion.1
With so much riding on your customer data, securing it is more important than ever.
1. The Nilson Report © 2013 2. Verizon 2013 Data Breach Investigations Report© 2014 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners.
100% compliantCompliance scale
2
34
5
6
7
8
9
10
11
12
4
10
11
12
9
1
84.4%
73.3% 77.8%
84.4%
86.7%
73.3%
68.9%
73.3% 82.2%
97.8% 95.6%
80.0%
80.0%
51.1%
80.0%
55.6%
91.1%
97.8%95.6% 93.3%
95.6%
95.6%93.3%
84.4%
82.2%44.4%
80.0%93.3% 88.9%
88.9%80.0%
84.4%
88.9%80.0%
73.3%
66.7%84.4%
82.2%93.3%93.3%88.9%
71.1%
84.4%
86.7%
73.3%
73.3%75.6%100%
73.3%53.3%
93.3%100%75.6%77.8
%
51.1
%
93.3%80.0%
84.4%
73.3%
100%
95.6%
77.8%
Only 53.3% of organizations complied with not using vendor default passwords. Many struggled with the subcontrols for 2.2.2 — just 50.5% complied with both.
In 2013, 80.0% of organizations were compliant — second in our study. All that failed Requirement 4 failed 4.1.a, data encryption over unsecure networks.
In 2012, only a third (34.0%) of companies’ anti-virus measures met all the controls.By 2013, compliance had jumped to 84.4%.
Only 13.2% of organizations met all the controls on the storage of cardholder data in 2012. In 2013, this rose to 55.6%.
Over 70% of organizations complied with
80–99% of controls in 2013
(Up 45 percentagepoints from 2012).
+180%
*In 2013,11.1% of companies
were fully compliant at the time of their initial
baseline assessment — up from 7.5%
in 2012. +48%The trend is promising, with 46.9% of
organizations compliant. But challenges remain with effective log management. This
helps provide early warning of attacks and minimize data loss should a breach occur.
35% of breaches involved physical attacks, and POS
devices are a common target.2 Between 2012 and 2013,
compliance with Requirement 9 almost tripled, to 75.6%.
From 2012 to 2013, compliance doubled, up to 35.6%. Still, organizations continue to fail at implementing two important
controls — lock accounts after no more than six failed logins and expire idle sessions within 15 minutes — making it easier for
criminals to hijack legitimate user accounts.
Organizations are realizing that effective security requires company-wide vigilance. Compliance with Requirement 12
jumped from 17.0% in 2012 to 55.6% in 2013.
Average compliance is up
from 52.9% in 2012 to 85.2%
in 2013.
+61%
Global losses from payment card fraud are growing.
The Nilson Report estimated losses
in 2012 were$11.27B.
$11.27billion
Requirement 11 [Regular testing of security systems and processes]
remains in last place in 2013. But compliance improved, from
11.3% in 2012 to 40.0% in 2013.
In 2013, only 12.5% of organizations that suffered a data breach were compliant at the time of the breach — compared to an average of 46.7% for all organizations.
It’s good practice to limit access to cardholder data on a need-to-know basis. Most organizations realize it’s not acceptable to allow users access to all the data, and as a result, compliance has jumped to 77.8%.
In 2013, only 16.4% of organizations that suffered a data breach were compliant, compared to an average of 53.3% for all organizations assessed. This suggests a correlation between non-compliance and data breaches.
on 2012
