According to the latest report by Verizon, every organization that suffered from a data breach during 2010 to 2016 wasn’t fully PCI DSS compliant. Is yours?

1. Is your business PCI DSS
compliant?
You’re digging your own grave
if not…

2. Why to be PCI
Compliance?
The latest report by Verizon shows that online
businesses are less likely to be breached if they’re
PCI compliant.

3. What is PCI DSS
Compliance?

4. “
The Payment Card Industry Data Security
Standard (PCI DSS), is a set of security
guidelines applicable to all organizations
that accept, store, and process credit card
information.

5. How PCI DSS
Compliance
Works?

6. Image: PCI Scanning Function

7. PCI DSS Compliance
○ The PCI DSS is comprised of 12 key requirements that any website dealing
with payment cards must adhere to.
○ The Verizon 2017 Payment Security Report clearly outlines the relation
between PCI DSS compliance and data breaches
○ Interestingly, almost all the victimized companies that Verizon analyzed
between 2010 and 2016 were found have violated the PCI DSS at the time
of their breach.
○ Even more interestingly, the report indicates that 55.4% remain fully PCI
compliant one year after their preliminary assessment.
○ These two are the key findings of the 60-page long Verizon 2017 Payment
Security Report – the ‘highlights’ if you may.

8. • However, there’s no need to get overly pessimistic by
these numbers. There is some good news, too.
So, which one would you like to hear first — good news
or bad news?
Okay, let’s go through some good news first.

9. The Good News


10. The report states that 55.4% of companies in 2016
remained fully PCI compliant one year after their
preliminary assessment.
This number may sound a little on the downside, but
it’s not. 55.4% is a massive improvement over the
48.4% recorded in 2015.
Compliance on
the rise

11. One of the 12 PCI DSS requirements is NOT TO use
default vendor-supplied credentials.
Going by Verizon’s report, 81.3% of organizations
heed this requirement – an encouraging sign
indeed.
Default
credentials are
a thing of the
past

12. If there is any sector that needs to comply with the
PCI DSS more than others, it’s the finance sector
Almost 60% of financial services organizations fall
within the boundaries of PCI DSS.
Finance sector
leading by
example

13. Another key finding of the report was the rise in
customer awareness.
The report states “66% say they would be unlikely to
do business with an organization that experienced a
breach where their financial and sensitive information
was stolen.
Now let’s get to the bad news. The part you should
have a close look at.
Customers
getting savvier

14. The Bad News


15. The report demonstrates a clear link between PCI DSS
compliance and data breaches.
The organizations that are fully PCI compliant have very
low chances of being the victim of a data breach.
The love-hate
relationship
between data
breaches and
PCI compliance

16. • Speaking of which Rodolphe Simonetti, Verizon’s global managing
director for security consulting said
“There is a clear link between PCI DSS compliance and an
organization’s ability to defend itself against cyberattacks, [While] it is
good to see PCI compliance increasing, the fact remains that over 40
percent of the global organizations we assessed – large and small –
are still not meeting PCI DSS compliance standards. Of those that pass
validation, nearly half fall out of compliance within a year — and many
much sooner.”

17. The report demonstrates a clear link between PCI DSS
compliance and data breaches.
The organizations that are fully PCI compliant have very
low chances of being the victim of a data breach.
The love-hate
relationship
between data
breaches and
PCI compliance

18. An important part of the 12 requirements is the
‘Security Testing.’
This requires the organizations to test their security
systems and processes under some specific guidelines.
Unfortunately, only 71.9% of organizations are
compliant with this requirement.
Security
Testing: Needs
Improvement

19. To protect your online business against potential data
breaches, you need to constantly track and monitor
access – that’s actually rule 10 of the PCI DSS. 91.9% of
the companies assessed after a data breach were found
to be disregarding this requirement.
Now that you know the significance that PCI DSS
requirements hold, we hope that you will comply with
(or at least think about) the requirements.
Tracking and
Monitoring: A
bluntly ignored
requirement

20. 12 requirements
for Tracking and
Monitoring

21. 1. Install and maintain a firewall and router configuration to
protect cardholder data

22. 2. Do not use vendor-supplied defaults for system passwords
and other security parameters

23. 3. Protect stored cardholder data

24. 4. Encrypt transmission of cardholder data across open, public
networks

25. 5. Use and regularly update anti-virus software or programs

26. 6. Develop and maintain secure systems and applications

27. 7. Restrict access to cardholder data by business need to know
Access Restricted

28. 8. Assign a unique ID to each person with computer access

29. 9. Restrict physical access to cardholder data

30. 10. Track and monitor all access to network resources and
cardholder data

31. 11. Regularly test security systems and processes

32. 12. Maintain a policy that addresses information security for all
personnel

33. And if you’re feeling particularly motivated and want to dig in deep, you can learn
more about these requirements on Payment Security Council’s official website.

34. 34
THANKS!
 If you have any questions about this document please don’t hesitate to
contact us at:
 https://cheapsslsecurity.com/blog/
 https://twitter.com/sslsecurity
 https://www.facebook.com/CheapSSLSecurities
 https://plus.google.com/+Cheapsslsecurity