O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Is your business PCI DSS compliant? You’re digging your own grave if not

391 visualizações

Publicada em

According to the latest report by Verizon, every organization that suffered from a data breach during 2010 to 2016 wasn’t fully PCI DSS compliant. Is yours?

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Is your business PCI DSS compliant? You’re digging your own grave if not

  1. 1. Is your business PCI DSS compliant? You’re digging your own grave if not…
  2. 2. Why to be PCI Compliance? The latest report by Verizon shows that online businesses are less likely to be breached if they’re PCI compliant.
  3. 3. What is PCI DSS Compliance?
  4. 4. “ The Payment Card Industry Data Security Standard (PCI DSS), is a set of security guidelines applicable to all organizations that accept, store, and process credit card information.
  5. 5. How PCI DSS Compliance Works?
  6. 6. Image: PCI Scanning Function
  7. 7. PCI DSS Compliance ○ The PCI DSS is comprised of 12 key requirements that any website dealing with payment cards must adhere to. ○ The Verizon 2017 Payment Security Report clearly outlines the relation between PCI DSS compliance and data breaches ○ Interestingly, almost all the victimized companies that Verizon analyzed between 2010 and 2016 were found have violated the PCI DSS at the time of their breach. ○ Even more interestingly, the report indicates that 55.4% remain fully PCI compliant one year after their preliminary assessment. ○ These two are the key findings of the 60-page long Verizon 2017 Payment Security Report – the ‘highlights’ if you may.
  8. 8. • However, there’s no need to get overly pessimistic by these numbers. There is some good news, too. So, which one would you like to hear first — good news or bad news? Okay, let’s go through some good news first.
  9. 9. The Good News 
  10. 10. The report states that 55.4% of companies in 2016 remained fully PCI compliant one year after their preliminary assessment. This number may sound a little on the downside, but it’s not. 55.4% is a massive improvement over the 48.4% recorded in 2015. Compliance on the rise
  11. 11. One of the 12 PCI DSS requirements is NOT TO use default vendor-supplied credentials. Going by Verizon’s report, 81.3% of organizations heed this requirement – an encouraging sign indeed. Default credentials are a thing of the past
  12. 12. If there is any sector that needs to comply with the PCI DSS more than others, it’s the finance sector Almost 60% of financial services organizations fall within the boundaries of PCI DSS. Finance sector leading by example
  13. 13. Another key finding of the report was the rise in customer awareness. The report states “66% say they would be unlikely to do business with an organization that experienced a breach where their financial and sensitive information was stolen. Now let’s get to the bad news. The part you should have a close look at. Customers getting savvier
  14. 14. The Bad News 
  15. 15. The report demonstrates a clear link between PCI DSS compliance and data breaches. The organizations that are fully PCI compliant have very low chances of being the victim of a data breach. The love-hate relationship between data breaches and PCI compliance
  16. 16. • Speaking of which Rodolphe Simonetti, Verizon’s global managing director for security consulting said “There is a clear link between PCI DSS compliance and an organization’s ability to defend itself against cyberattacks, [While] it is good to see PCI compliance increasing, the fact remains that over 40 percent of the global organizations we assessed – large and small – are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year — and many much sooner.”
  17. 17. The report demonstrates a clear link between PCI DSS compliance and data breaches. The organizations that are fully PCI compliant have very low chances of being the victim of a data breach. The love-hate relationship between data breaches and PCI compliance
  18. 18. An important part of the 12 requirements is the ‘Security Testing.’ This requires the organizations to test their security systems and processes under some specific guidelines. Unfortunately, only 71.9% of organizations are compliant with this requirement. Security Testing: Needs Improvement
  19. 19. To protect your online business against potential data breaches, you need to constantly track and monitor access – that’s actually rule 10 of the PCI DSS. 91.9% of the companies assessed after a data breach were found to be disregarding this requirement. Now that you know the significance that PCI DSS requirements hold, we hope that you will comply with (or at least think about) the requirements. Tracking and Monitoring: A bluntly ignored requirement
  20. 20. 12 requirements for Tracking and Monitoring
  21. 21. 1. Install and maintain a firewall and router configuration to protect cardholder data
  22. 22. 2. Do not use vendor-supplied defaults for system passwords and other security parameters
  23. 23. 3. Protect stored cardholder data
  24. 24. 4. Encrypt transmission of cardholder data across open, public networks
  25. 25. 5. Use and regularly update anti-virus software or programs
  26. 26. 6. Develop and maintain secure systems and applications
  27. 27. 7. Restrict access to cardholder data by business need to know Access Restricted
  28. 28. 8. Assign a unique ID to each person with computer access
  29. 29. 9. Restrict physical access to cardholder data
  30. 30. 10. Track and monitor all access to network resources and cardholder data
  31. 31. 11. Regularly test security systems and processes
  32. 32. 12. Maintain a policy that addresses information security for all personnel
  33. 33. And if you’re feeling particularly motivated and want to dig in deep, you can learn more about these requirements on Payment Security Council’s official website.
  34. 34. 34 THANKS!  If you have any questions about this document please don’t hesitate to contact us at:  https://cheapsslsecurity.com/blog/  https://twitter.com/sslsecurity  https://www.facebook.com/CheapSSLSecurities  https://plus.google.com/+Cheapsslsecurity

×