Verizon Enterprise Solutions unveiled some findings from its upcoming 2015 PCI Report in January 12 ahead of publication in February. The 2015 report will cover Payment Card Industry (PCI) Data Security Standard compliance and how it relates to data breaches among retailers and restaurateurs that rely on payment card transactions.
The internet and telecoms firm suggests that many companies fall out of compliance once it’s achieved. In fact, fewer than one-third were still fully PCI-compliant less than a year after being validated. Of all the data breaches studied, Verizon’s claims that not a single company was fully PCI-compliant at the time of the breach. Two key areas where firms fall out of compliance include regularly testing security systems and processes and maintaining firewalls.
Rodolphe Simonetti, director of compliance and governance professional services for Verizon Enterprise Solutions, spoke of a changing cyber-security landscape. He said: “As a result, organisations need to change the way they approach security. Businesses need to adopt a model that we call ‘resilience’ which means they must accept they can never be fully secure. There is no silver bullet for data protection.”
Simonetti recommends that businesses look holistically at security which means enterprises must:
Put safeguards in place to prevent attacks
Accept that a breach can happen
Be prepared to respond by:
Mitigating the impact of a breach
Restoring defences
Resuming normal operations as quickly as possible.
Meanwhile the PCI Security Standards Council (PCI SSC), a US-based industry standards body managing the Payment Card Industry Data Security Standard (PCI DSS), released v2.0 of the PIN Security Requirements.
That covers the secure management, processing and transmission of personal identification number (PIN) data at ATMs, and attended and unattended point of sale (POS) terminals. PCI PIN Security Requirements v2.0 has included testing procedures. This resulted in two versions of the requirements: PCI PIN Security Requirements v2.0 and PCI PIN Security Requirements and Test Procedures v2.0. Organisers say that including testing producers in a separate version of the document will allow smoother evaluation of the requirements.
PCI SSC says that PIN data continues to be a target for criminals. Examples of common vulnerabilities for PIN theft that the requirements address include:
PINs that are not protected by use of a secure PIN block
Failure to use approved cryptographic devices for PIN processing
Cryptographic keys that are non-random, not unique per POI deviceand never change
Few, if any documented PIN protection procedures
Audit trails or logs that are not maintained
Stephen W Orfei, general manager of the PCI Security Standards Council, said: “Criminals are actively targeting the point of sale and it’s up to us as a community to stop them in their tracks. The requirements enhance the protection of devices that accept PINs with the end goal of securing cardholder data at the POS.”
The council has also published a ‘Summary of Significant Changes’ document which looks at the significant modifications to the requirements.
Troy Leach, chief technology officer, PCI Security Standards Council., said: “With 1.0 we introduced requirements for the secure management, processing and transmission of PIN data at ATMs, and attended and unattended point of sale (POS) terminals. Version 2.0 builds on this by improving clarity to ease understanding. The addition of testing criteria will ensure that these products are being tested and validated against
the highest level of security.”
About the PCI Security Standards Council
The PCI Security Standards Council is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards for payment data security. Founded in 2006 by the payment card brands American Express, Discover, JCB International, MasterCard and Visa Inc, the Council has more than 700 members representing retailers, banks and card processors. Visit: pcisecuritystandards.org.
