Data Breaches Hit Half of America: Verizon Report
Almost half of all American consumers (45%) said data security breaches have compromised their personal payment information or that of a household member, according Verizon’s 2015 PCI Compliance Report.
The document suggested credit unions and other card issuers might suffer damage from card security breaches until consumers start using payment cards with embedded EMV chips.
Verizon Enterprise Solutions, a subsidiary of the communication firm, published the report March 12. It was the fourth year Verizon has published the report, which looks into how firms comply with the Payment Card Industry Data Security Standard.
This year’s report covered three years of data and included the results from PCI assessments conducted by Verizon’s team of PCI Qualified Security Assessors for Fortune 500 and large multinational firms in more than 30 countries, the firm said.
Verizon researchers found that 80% of all firms studied failed their interim PCI DSS compliance assessments. And, once compliant, firms struggled to maintain compliance.
“Today’s cybersecurity landscape is constantly changing,” said Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions. “Compliance at a point in time isn’t sufficient to protect data. Putting the focus on making compliance sustainable is key. It must be a part of day-to-day activities within an organization’s greater security strategy.”
The firm noted that only 29% of firms that validated their payment systems remained compliant with PCI DSS within one year after their validation.
“The three key areas where organizations fall out of compliance are: Regularly testing security systems, maintaining secure systems and protecting stored data. Of all the data breaches studied, Verizon’s findings clearly show that not a single company was fully PCI DSS-compliant at the time of the breach,” Simonetti added.
However, the firm also observed that some elements of PCI compliance had improved. The data standard covers 12 areas that firms that accept payment cards are supposed to maintain in a secure stance in order to minimize the chances of being hacked.
The 12 areas include maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining anti-virus software, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems and maintaining security policies.
Verizon said rules in 11 of the 12 areas that make up PCI DSS had seen increased numbers of firms remain compliant, even if a very small minority of firms managed to remain compliant with all of them. That meant that at any given time, 60% of firms would have been found compliant with rules in any one of the 12 areas, Verizon said.
“Data protection is not just about using encryption, firewalls and antivirus,” Verizon wrote in the report. “[I]t’s about ongoing scoping, configuration maintenance, identity management, logging, monitoring, scanning and testing. Security is something you do, not something you have. The low results of testing security systems show that many organizations still don’t recognize this."