pci compliance: how compliant is your payment security?
TRANSCRIPT
Verizon 2017 Payment Security Report.
Overview Webinar
Thursday, September 7th
PROPRIETARY STATEMENTThis document and any attached materials are the sole property of Verizon and are not to be used by you other
than to evaluate Verizon’s service.
© 2017 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans
identifying Verizon’s products and services are trademarks and service marks or registered trademarks and
service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All
other trademarks and service marks are the property of their respective owners.
Please advance to the next slide where you can watch the video. The total slide deck
is available for your reference after the video. Thank you.
5
Payment Security Experts
Rodolphe Simonetti
Global Managing Director
Security Assurance Consulting
Verizon Enterprise Solutions
Ron Tosto
Global Sr. Manager
Payment Security Practice
Verizon Enterprise Solutions
Franklin Tallah
Senior Manager
Payment Security Practice
Verizon Enterprise Solutions
Ciske Van Oosten
Senior Manager
Payment Security Practice
Verizon Enterprise Solutions
Would you be more or less likely to do business with a company that had lost customers’ personal data?
You can’t afford to ignore payment security.
66%say they would be unlikely to do business with an organization that experienced a breach where their financial and sensitive information was stolen1.
1. Gemalto, Customer Loyalty Study, 2016
The 2017 Payment Security Report.
• This report provides a thorough investigation of the challenges of securing customers’ payment data.
• It examines the state of payment security, and looks at what needs to improve.
• Based on our PCI assessments, the report explores compliance with PCI DSS in great detail, and is an invaluable resource for security and compliance professionals.
8
Click to edit Master title style
Click to edit Master subtitle style
What’s the difference between compliant and secure?
PCI DSS compliance doesn’t necessarily mean that you’re secure.
But failing it means that you’re definitely not.
Over the past 12 years, not a single
breached organization we investigated
was fully PCI DSS compliant at the
time of the breach*.
*Payment card data breaches investigated by the VTRAC | IR Team
7
11
There’s good news: full compliance continued its upward progression.
12
But still almost half of organizations analyzed failed to maintain compliance.
Our research shows that 45% of organizations fall out of PCI DSS compliance within nine months of validation.
14
The control gap—the average percentage of controls organizations didn’t have in place—has increased in non-compliant companies.
These aren’t just a few insignificant rules.
Many of the controls not in place are essential to mitigating security threats.
17
Full Compliance
The percentage of
organizations achieving full
compliance improved
across all 12 Key
Requirements compared
with 2015.
Requirement 11 (Security
Testing) retained its
traditional place at the
bottom of the list in terms of
full compliance (71.9%)
Requirement 1 (Firewall
configurations) showed the
largest improvement in full
compliance, increasing by
10.4pp.
18
Five out of six of the worst performers are the same now as they were in 2013.
Requirement 11 [Test
security systems and
processes] has been the
perennial bottom of the
pack, but in the last couple
of years we’ve seen it lose
last place to Requirement 4
[Protect data in transit].
Though Requirement 11
retains the dubious honor
of last place when you look
at full compliance.
IT services
What can you do?
• Use vulnerability scanning,
penetration testing, file
integration monitoring and
intrusion detection to help
identify and address
weaknesses.
What can you do?
• Establish, update, and
communicate effective
security policies and
procedures.
• Align these with the results of
regular risk assessments to
help address any
weaknesses.
3. Protect stored
cardholder data 11. Regularly test security
systems/processes 12. Maintain an information
security policy
Control gap
What can you do?
• When sensitive data has to be
stored, encryption and strong
hashing can dramatically
reduce risk. But don’t store
data unless it’s essential to.
45
Key requirement 11
29
of companies assessed after
a data breach were not in
compliance with Requirement 11*
83.6%
23
The lifecycle of PCI DSS controls
24
Terrifyingly short
How secure is your password? How long would you make it if you were
storing primary account numbers (PANs) in clear text? Much to their horror,
during one assessment a QSA found an admin account with access to 70
million PANs protected by the weakest password we’ve ever seen—a single
character! The operator’s defense was that it was a “special character”.
QSA horror story
25
The phantom router
When auditing one organization, we were told that the requirements of PCI
DSS governing Wi-Fi didn’t apply to them as they didn’t use it. But during
the assessment, the QSA spotted an unsecured Wi-Fi network. The IT
security team was shocked. After some investigating, it turned out that it
wasn’t some paranormal activity. With the server room in the basement and
the IT department located on the third floor, one IT admin was tired of
traipsing up and down the stairs, so he had installed a router to access the
servers from his desk. More slob than specter.
QSA horror story
Keep your options open.
Think of how your controls will adapt to changes in the business and/or IT environment. Resilience is key.
Make everyone aware of what they need to do.
Assign roles, define responsibilities and verify that everyone understands what’s expected of them.
Keep the ultimate goal in mind.
The point of payment security is to safeguard customer data, not just pass an assessment.
29
Read the 2017 Payment Security Report to get the full picture:
VerizonEnterprise.com/PaymentSecurity
Contact us:
Thank you.
Q&A
Appendices
Full compliance
26
Based on VZ PCI assessments conducted in the 2017 Payment Security Report
33
Average control gap
Based on VZ PCI assessments conducted in the 2017 Payment Security Report
Full compliance
28
Based on VZ PCI assessments conducted in the 2017 Payment Security Report
Key requirements
Install and maintain a
firewall configuration
This Requirement covers the
correct usage of a firewall to filter
traffic as it passes between internal
and external networks, as well as
traffic to and from more sensitive
areas within the company’s
internal networks.
1
29
Key requirements
Do not use vendor-
supplied defaults
This Requirement covers the
controls that reduce the available
attack surface on system
components by removing unneeded
services, functionality, and user
accounts, and by changing insecure
vendor default settings.
2
30
Key requirements
Protect stored
cardholder data
This Requirement covers the
storage of CHD and SAD on system
components, such as servers and
databases. It states that all stored
data must be protected using
appropriate methods, no matter
what type of system it’s stored in.
And it must be securely deleted
once no longer needed.
3
31
Key requirements
Protect data
in transit
This Requirement is designed
to protect cardholder data and
sensitive authentication data
transmitted over unprotected
networks, such as the internet,
where attackers could intercept it.
4
32
Key requirements
Protect against
malicious software
This Requirement concerns
protecting all systems commonly
affected by malicious software
against viruses, worms, and trojans.
5
33
Key requirements
Develop and
maintain secure
systems
This Requirement covers the security of
applications, and particularly change
management. It governs how systems and
applications are developed and
maintained, whether by the organization or
third parties. It recognizes that the threat
landscape is always changing, and
compliance measures need to be
adapted accordingly.
6
34
Key requirements
Restrict
access
This Requirement specifies the
processes and controls that should
restrict each user’s access rights
to the minimum they need to
perform their duties—a “need-to-know”
basis.
7
35
Key requirements
Authenticate
access
This Requirement sets standards
for managing user identities and
authentication methods, including
passwords. Before DSS 3.0, it was
called “Assign a unique ID to each
person with computer access”.
8
36
Key requirements
9 Control physical
access
This Requirement stipulates that
organizations must restrict
physical access to all systems in
the DSS scope and all hard
copies of CHD.
37
Key requirements
10 Track and monitor
access to networks
and cardholder data
This Requirement covers the
creation and protection of
information that can be used for
tracking and monitoring access to
all systems in the DSS scope,
including databases, network
switches, firewalls and clients.
38
Key requirements
11 Test security
systems and
processes
This Requirement covers the use
of vulnerability scanning,
penetration testing, file integrity
monitoring, and intrusion
detection to identify and assess
weaknesses.
39
Key requirements
12 Maintain an
information
security policy
This Requirement stipulates that
organizations actively manage their
data protection responsibilities by
establishing, updating, and
communicating security policies
and procedures aligned with results
of regular risk assessments.
40
Compliance by industry
Financial services
2. Do not use vendor
supplied defaults
What can you do?
• Remove unnecessary
services, functionality and
user accounts.
• Change the default username
and passwords on all your
devices.
11. Test security systems/
processes 12. Maintain an information
security policy
Control gap
What can you do?
• Use vulnerability scanning,
penetration testing, file
integration monitoring and
intrusion detection to help
identify and address
weaknesses.
What can you do?
• Establish, update, and
communicate effective
security policies and
procedures.
• Align these with the results of
regular risk assessments to
help address any
weaknesses.
42
Retail
What can you do?
• When sensitive data has to be
stored, encryption and strong
hashing can dramatically
reduce risk. But don’t store
data unless it’s essential to.
What can you do?
• Assign a unique username
and password to each user.
• Segment data and grant
access on a need-to-know
basis.
What can you do?
• Establish, update, and
communicate effective
security policies and
procedures.
• Align these with the results of
regular risk assessments to
help address any
weaknesses.
Control gap
3. Protect stored
cardholder data 8. Authenticate
access 12. Maintain an information
security policy
43
Hospitality
What can you do?
• Simplifying and consolidating
access control and its
administration is key.
• Train administrators to have a
consistent understanding of
“insecure” services, ports and
protocols.
What can you do?
• Prevent and test for known
weaknesses and common
design or coding flaws.
• Identify vulnerabilities and
remediate against them by
applying security patches.
1. Install and maintain a
firewall configuration 3. Protect stored
cardholder data 6. Develop and maintain secure
systems and applications
What can you do?
• When sensitive data has to be
stored, encryption and strong
hashing can dramatically
reduce risk. But don’t store
data unless it’s essential to.
Control gap
44