2017 Payment Security Report
Revealing the challenges in sustaining payment card securityby Ciske van Oosten | Verizon RISK Team | 11/07/2017
In 2016, for the first time, more than half (55.4%) of organizations were fully PCI DSS (see below) compliant at interim validation—compared with 48.4% in 2015. Full compliance has increased almost five-fold compared to our analysis of 2012 assessments.
Despite this general improvement, the control gap of companies failing their interim assessment has actually grown worse. In 2015, companies failing their interim assessment had an average of 12.4% of controls not in place (6.8% across all companies). In 2016, this increased to 13.0% (5.8%).
Many of the security controls that were not in place cover fundamental security principles that have broad applicability. Their absence could be material to the likelihood of an organization suffering a data breach. Indeed, no organization affected by payment card data breaches was found to be in full compliance with the PCI DSS during a subsequent Verizon PCI forensic investigator (PFI) inquiry.
This report delves into the detail of payment security and PCI DSS compliance and analyzes compliance patterns and control failures from global, regional, and industry perspectives. It’s the only major industry publication based on data from real compliance validation assessments.
The inclusion of insights from our Data Breach Investigations Report (DBIR) specific to companies that have suffered from payment card data breaches makes this report a unique resource for compliance professionals.
To read more, please log in
Business Email Compromises in Office 365
A Q&A with Chris Salsberry of The Crypsis Group
One of the most prominent cyber threats affecting companies right now is business email compromise (BEC). These attacks typically begin with phishing emails that capture log-in credentials. The widely used cloud-based Microsoft Office 365 has proven especially vulnerable, with millions of dollars lost in fraudulent wire transfers over the past couple of years. We talked to The Crypsis Group’s senior director Chris Salsberry about this attack vector and how companies can avoid being compromised.