New Verizon Report: Non-PCI Compliant Organizations Suffer More Breaches

  /     /     /  
Publicated : 22/11/2024   Category : security


New Verizon Report: Non-PCI Compliant Organizations Suffer More Breaches


First report on real-world PCI assessments by Verizon shows nearly 80 percent of companies miss the compliance mark in first audit



Data from PCI DSS assessments conducted by Verizon Business PCI auditors shows that organizations hit by breaches are 50 percent less likely to be PCI-compliant than its other clients.
The first-ever Verizon Payment Card Industry Compliance Report, released today, analyzed findings from actual PCI DSS assessments Verizon conducted between 2008 and 2009. The report also shows that only 22 percent of organizations score as compliant with the PCI DSS at their first audit.
Protecting stored data, tracking and monitoring access to network resources and cardholder data, and regularly testing security systems and processes were the top three reasons for breaches in Verizons 2010 Data Breach Investigations Report. And its those three security areas where companies are having difficulty deploying or complying with in PCI, according to Verizon.
We found a direct correlation to the top reasons for data breaches, says Jen Mack, director of global PCI consulting services at Verizon. PCI requires protecting source data, monitoring and reviewing, and systematically checking and scanning and penetration testing ... And we could see those were the top reasons for breaches in our breach report. We see in our PCI report that these areas have the least amount of requirements in place at the time of their Initial Report on Compliance.
Mack says these are PCI compliance areas where organizations are most lagging behind. Overall, the numbers showing PCI-compliant companies being less likely to suffer a breach is good news for the specification, she says.
I would say this is very good news for PCI, Mack says. This pushes for maintaining good security practices.
The report analyzes findings in 200 PCI DSS assessments conducted by Verizons PCI Qualified Security Assessors (QSAs), and correlates it with the companys breach report.
The top attack techniques used to breach payment card data were malware and hacking (25 percent); SQL injection attacks (24 percent); exploiting default or guessable credentials (21 percent); abuse of system access privileges (17 percent); use of stolen login credentials (14 percent); RAM scraper malware (13 percent); exploiting insufficient authorization (13 percent); packet sniffer (13 percent); and keylogger/spyware (13 percent), according to the report.
Interestingly, three-fourths of the organizations audited by Verizon met 79 percent of PCI testing processes. So folks not in compliance are not that far off, Mack says. PCI compliance is still an ongoing effort. Its more of a lifestyle change.
Verizon recommends building security into the business process, aligning compliance and security as one effort and approaching compliance as a continuous process rather than a point-in-time event. And keeping the scope of the assessment manageable is also crucial, so Verizon advises controlling data closely.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New Verizon Report: Non-PCI Compliant Organizations Suffer More Breaches