DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Verizon PCI DSS Compliance Study: breached entities 50% less likely to be compliant

Posted on October 4, 2010 by Dissent

A new report from Verizon Business shows that following industry security standards can dramatically reduce such incidents.

In a first-of-its-kind “Verizon Payment Card Industry Compliance Report,” the company examined compliance with the Payment Card Industry Data Security Standard (PCI DSS), which was created in 2006 to protect cardholder data and reduce credit card fraud.  Company investigators found that breached organizations are 50 percent less likely to be PCI compliant and that only 22 percent of organizations were PCI compliant at the time of their initial examination.

In addition to assessing the effectiveness of the PCI DSS  standards, the report identifies which attack methods are most common and provides recommendations for businesses on earning and maintaining PCI compliance.

Some of the key findings:

  • 22% of organizations were validated compliant at the time of their Initial Report on Compliance (IROC). These tended to be year after year repeat clients.
  • On average, organizations met 81% of all test procedures defined within PCI DSS at the IROC stage. Naturally, there was some variation around this number but not many (11% of clients) passed less than 50% of tests.
  • Organizations struggled most with requirements 10 (track and monitor access), 11 (regularly test systems and processes), and 3 (protect stored cardholder data).
  • Requirements 9 (restrict physical access), 7 (restrict access to need-to-know), and 5 (use and update anti-virus) showed the highest implementation levels.
  • Overall, organizations that suffered a data breach were 50% less likely to be compliant than a normal population of PCI clients.
  • All of the top 10 threat actions leading to the compromise of payment card data are well within scope of the PCI DSS. For most of them, multiple layers of relevant controls exist across the standard that mitigate risk posed by these threat actions.

In light of some of the hospitality sector breaches, I was especially curious as to what they would find with respect to vendor defaults:

Default passwords, settings, and configurations are common attack points for hackers because they are such easy fare. As evidenced by the 48% that initially passed Requirement 2, many organizations have difficulty eliminating them. There were three big reasons clients didn’t have more success with this requirement: they didn’t sufficiently harden systems by turning off extra services (2.2.2) and functionality (2.2.4), they didn’t document why certain services and functions could not be removed due to business reasons (as required by 2.2.2 and 2.2.4), and they didn’t encrypt all non-console admin traffic (2.3).

You can read more of the findings and their recommendations on Verizon’s site.

Category: Commentaries and AnalysesOf Note

Post navigation

← Hackers Steal $600,000 from Brigantine, NJ
Ireland: Company directors could be held liable for data breaches →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.