FINANCIAL SERVICES - Verizon Enterprise Solutions
Transcription
FINANCIAL SERVICES - Verizon Enterprise Solutions
Industry Report Verizon 2015 PCI Compliance Report FINANCIAL SERVICES Despite being at the centre of the payment ecosystem, financial services companies lag behind other industries when it comes to PCI DSS compliance. Your business is built on trust: whether you’re a payment service provider, processor, card issuer, or acquirer — your customers rely on you to keep their information secure. But criminals are trying to breach your defenses to capture cardholder data. And if they succeed, it could cause irreparable harm to your own reputation as well as your customers’. PCI DSS compliance is a key way of managing this risk. Companies that experience a data breach almost always show much lower compliance levels than organizations we assess as part of our usual annual PCI validation assessments. As a result, we’re confident that PCI DSS compliance is a useful baseline for comparing your own security preparations against your peers in financial services and other sectors. COMPLIANCE IS AN INDICATOR OF SECURITY Security and risk management are not the same as compliance with the PCI Data Security Standard (PCI DSS), but they are directly connected. Our research shows a strong correlation between compliance with the PCI DSS and the chances of suffering a data breach. Financial services firms operate at the heart of the payment ecosystem and in both the merchants’ and consumers’ eyes, have a key responsibility for securing their payment data and controlling fraud. Yet our analysis in the Verizon 2015 PCI Compliance Report shows that financial services actually performed lower than the whole industry average. This document is a snapshot of the findings, focused on the financial services sector. When Verizon forensic investigators are called in to perform a data breach investigation, we determine the status of compliance with PCI DSS requirements at the time of the breach. PCI DSS COMPLIANCE AT INTERIM ASSESSMENT ALL INDUSTRIES 100% 8 % of financial services firms were validated as fully compliant with all the controls of the PCI DSS at interim assessment from 2012–2014 — compared to 12% across all industries. 96% 93% 93% 97% 92% 96% 97% 95% 97% 95% 81% 92% 80% 60% Maintaining Firewalls 41% Securing Configurations 40% Protecting Stored Data 0% 20% 37% 50% 20% 41% Restricting Access 57% Authenticating Access 53% 37% 33% 59% Logging and Monitoring 47% 43% Testing Security Systems 30% 27% Maintaining Security Policies 46% Average 80% 30% 55% Maintaining Secure Systems 60% 33% 52% Maintaining Anti-Virus 40% 30% 38% Protecting Data in Transit Controlling Physical Access FINANCIAL SERVICES 20% 40% Full 23% 43% Full Average Figure 1: Compliance in financial services by PCI DSS Requirement (1–12); 2012–2014 100% This report uses data from validation assessments carried out between 2012 and 2014, covering both PCI DSS 2.0 and 3.0. When a new version of the Standard is introduced, compliance often drops and then rises again as companies adapt. Therefore, as we go into DSS 3.0, we’ve taken a view of how key industries have performed across the lifetime of DSS 2.0. For full details of our methodology, please see the full report. 84 % 84% of organizations across all sectors that had suffered a data breach in 2014 had failed to comply with Maintaining Secure Systems [Requirement 6]. HOW FINANCIAL SERVICES COMPANIES FARED LEGACY SYSTEMS COMPLICATE COMPLIANCE To ensure the most robust analysis, we gathered all our data from PCI DSS assessments across 2012–2014. Across all sectors, the average compliance was 94%. But only 12% of organizations were validated as fully compliant with the Standard at the time of their interim assessment during this three-year period. Of the 12 security disciplines studied, financial services companies performed worst at Maintaining Secure Systems [Requirement 6]. While average compliance with this Requirement in financial services stood at 98% — higher than the all industry average — only 20% were fully compliant. The financial services industry still lagged behind other sectors in overall compliance. MAINTAINING SECURE SYSTEMS Financial Services In financial services, average compliance stood at 93% in the same three-year period, very close to the all-industry average. Within the sector, payment service providers outperformed banks, while card issuing processors have been the slowest in successfully adopting PCI DSS. All industries But only 8% of financial services organizations were validated as fully compliant at the time of their interim assessment, and the financial services sector scored below the all-industry average in every one of the 12 security disciplines governed by the PCI DSS. This Requirement calls for you to guard against emerging vulnerabilities through effective software patching. What’s the explanation? In our experience of conducting PCI DSS assessments, it’s not that finance organizations are neglecting security entirely or lacking a documented security strategy, it’s that they have been slow to update it. Policies are often outdated, even locked away on paper where they’re hard for staff to refer to, apply, or update. These policies are rarely aligned directly to the specific requirements of the PCI Data Security Standard, or more importantly to the changing technology and business-risk landscape. 20% 98% 41% 96% PCI DSS Requirement 6, 2012-2014 data Research by our RISK team, which produces our Data Breach Investigations Report, found that 84% of organizations that had suffered a data breach in 2014 had failed to comply with PCI DSS Requirement 6. Financial services organizations scored less than half as well as the all-industry average for full compliance with Maintaining Secure Systems. This Requirement [Maintaining Secure Systems] is clearly challenging for all sectors, but it’s particularly difficult for finance organizations due to their use of proprietary software, bespoke application development practices, and legacy systems, including mainframes. If this is the case, you may struggle with the amount of effort that’s needed to bring your systems in line with the modern secure coding and development practices that PCI DSS specifies. And it’s not just your own systems and applications that you need to keep secure. Third-party systems are also covered by this Requirement. This includes any software development or configuration that’s outsourced to another company, infrastructure maintained at data centers and contact centers, as well as the systems used by kiosks and point of sale (POS) terminals. IT’S NOT ENOUGH TO THINK YOU’RE SECURE PROTECTING STORED DATA Finance organizations also had problems with Testing Security Systems [Requirement 11]. Just 23% of organizations within the financial services industry fully met all the required security controls. Protecting Stored Data [Requirement 3] has particular relevance in the financial services sector due to regulation around retaining records — up to seven years in some cases. Organizations clearly struggle to make regular testing part of business as usual. TESTING SECURITY SYSTEMS Financial Services 23% 96% All industries 27% 81% PCI DSS Requirement 11, 2012-2014 data Testing Security Systems had the lowest level of full compliance across all industries at just 27% — in fact 14 of the 20 testing procedures with the lowest compliance were within this Requirement 11. The area where finance organizations struggled most was performing internal vulnerability scans [Control 11.2]. Your vulnerability scans should cover all in-scope systems, both external-facing and internal ones too. These scans should be conducted at least quarterly and rescanned as needed until all significant vulnerabilities are resolved. As well as these regular scans, PCI DSS requires companies to conduct a scan after any significant change to the cardholder data environment. External scans must be performed by an Approved Scanning Vendor (ASV) but internal scans can be conducted by in-house teams or outsourced to an independent third party. But both need to be conducted and documented. Consistent testing exposes the security holes in networks and applications, so you can then close them. To maintain the security of cardholder data it’s vital that you find and fix vulnerabilities in applications and infrastructure quickly. Attackers often focus on compromising stored data. As reported in the Verizon 2014 Data Breach Investigations Report, almost half (48%) of compromises involving payment card data breaches involved data that was stored unencrypted. Encryption can play an important role in complying with this Requirement. You should consider providing your customers with a P2PE solution, using tokenization, or outsourcing any processes involving cardholder data or authentication data to reduce the amount of data you need to protect. It’s important to have robust procedures for disposing of records when no longer needed. Full compliance in this area [Requirement 3] across all industries was 38%, the financial services sector was significantly behind this on 30%. While full compliance is lower in financial services, average compliance is actually slightly higher, at 97% versus 93%. This suggests that generally financial services organizations are pretty good at complying with most of the controls, but fall at the last hurdle. PROTECTING STORED DATA Financial Services 30% 97% All industries 38% 93% PCI DSS Requirement 3, 2012-2014 data It’s important to remember that this Requirement doesn’t just cover information held electronically, but also paper-based records. It’s important to have robust procedures for ensuring that records are held securely and disposed of properly when no longer required. 23% Just 23% of financial services organizations were compliant with all the demands of Testing Security Systems [Requirement 11] in 2012 to 2014. WHAT’S THE RIGHT APPROACH? 29% Less than a third of all companies, in 2014, were found to be fully compliant when reassessed within the 12 months following a successful PCI DSS compliance validation. Like all sectors, the financial services sector has strengths and weaknesses in its handling of risk, security, and compliance. It’s vitally important that you are aware of the specific issues raised by a PCI DSS assessment, and for you to correct them in order to achieve compliance and close specific vulnerabilities. But that shouldn’t mean you lose sight of the big picture. Your overall security approach shouldn’t just involve a set of preventative measures: while putting in place things like firewalls and access controls are a valuable baseline of defense for any organization that processes payments, it’s vital to also look at detecting the inevitable security attacks as early as possible, mitigating damage, and identifying residual risk. No organization should rely on their annual PCI DSS compliance assessment to serve this role — an assessment can uncover gaps, but it is a snapshot and no substitute for a comprehensive and ongoing IT security and riskmanagement strategy. Taking a broader approach to governance, risk, and compliance is the only answer. We recommend you coordinate a plan for all kinds of risk — not only hackers trying to steal payment card data. When you carefully and continuously evaluate your whole infrastructure, people and processes, you can not only better protect your customers’ data, but uncover opportunities to consolidate infrastructure and make operations more efficient, which can help offset the cost of investments in security. HOW CAN WE HELP? Having conducted more than 5,000 PCI DSS assessments since 2009, we have an unrivaled perspective on the world of payment card security, and the solutions to help you with the most pressing compliance challenges: 1. Make PCI DSS compliance sustainable It’s not enough just to comply at the time of assessment. You need to introduce effective security controls and maintain them. Our Professional Services offer practical solutions that can help you improve compliance management and succeed in making security and compliance sustainable against the latest PCI security standards. 2. Take control of vulnerabilities It’s vital that you identify and address security issues before they become serious problems. Our patch management and associated Vulnerability Management Services complement standard penetration tests and help you detect and prioritize complex vulnerabilities in applications and infrastructure. We also help with remediation, including secure coding, plus best practice change management. Having conducted more than 5,000 PCI DSS assessments since 2009, we have an unrivaled perspective on the world of payment card security. 3. Keep control of access Restricting access to data on a need-to-know basis will help to keep your data secure. Our Identity and Access Management services can help you define and implement role-based access management, then automate identity management. This limits employees’ access to only the information that they need to do their job, protecting not just cardholder data but other commercially sensitive information too. The Verizon 2015 PCI Compliance Report is the industry’s go-to resource for datadriven insights on payment card security and compliance. To find out more, visit: verizonenterprise.com/pcireport/2015. verizonenterprise.com © 2015 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. WBE16316 3/15