With the new year, most people are making their resolutions, and taking a good, hard look at some of their personal habits. It also seems like a great time to focus on PCI compliance, if you’re within the banking industry or e-commerce. Verizon’s Data Breach Investigations Report for 2012 drew up some interesting figures worth taking a second glance at. 79% of breach victims were such out of opportunity. Having the vulnerability there and being easy to reach is much quicker for a hacker then choosing a specific target. A person or business doesn’t have to be large to be attacked, sometimes they just have to be easy to compromise.
Also, 96% of victims subject to PCI DSS were not compliant at the time of their breach. With many of the standards put forth being open to a certain amount of interpretation by the auditor, it can sometimes be difficult for a business to parse through the language and achieve compliance. What exacerbates the problem is businesses and auditors that aren’t thinking of PCI compliance as a series of risks and defences, but rather as a list of checkboxes they need to put a mark in. The changes made to PCI DSS in 2012 worked to mitigate that by adding the need for a risk based vulnerability assessment. The hope was that businesses start to think clearly and actively about what their risks are, and from there work to make sure they aren’t vulnerable to attack in the future.
Based on this breach data, Verizon says that the focus for smaller organizations that would be most effective in stopping a large portion of the easily avoidable compromises involve implementing a firewall on remote access services, and changing default credentials. They also impress the importance of making sure any third party vendors in control of these services for a company follow these guidelines. One good way to ensure this would be to get the attestation of compliance with the latest PCI standards before working with a vendor. Having this means they have had an independent audit to ensure they’re compliant with all 211 different PCI standards. Without this, it would be the responsibility of the merchant to do their due-diligence and ensure vendor compliance before the QSA (Quality Security Assessor) completes the merchant’s audit.
It’s clear that merchants know they need to be secure for their customers as well as their reputation. Hearing some of the costs associated with breaches in 2012 (the Global Payments breach costing 84.4 million, or the SC Department of Revenue breach that costed the state upwards of $14 Million), adds emphasis to the point. And with more changes coming to PCI DSS in 2013, now is the best time to start working on compliance, or reassess processes that are already in place.