Verizon 2014 PCI Compliance ReportHighlights from our in-depth research into the current state of PCI Security compliance.

In 2013, 64.4% of organizations failed to restrict each account with access to cardholder data to just one user — limiting traceability andincreasing risk. (Requirement 8)

Executive Summary

2 VERIZON ENTERPRISE SOLUTIONS

EXECUTIVE SUMMARYVERIZON 2014 PCI COMPLIANCE REPORT

DON’T BECOME A STATISTICJust over a month into 2014 and we’ve seen several major data breaches hit the headlines. Global losses from payment card fraud are growing — The Nilson Report estimates that they exceeded $11.2 billion in 20121. It’s not just cardholders that are affected by card fraud. When a company suffers a data breach and cardholder data is lost, they are likely to face remediation costs, notification costs, financial penalties from acquirers, and the loss of customer trust — leading to lost business.

Criminals are using increasingly sophisticated techniques to try and breach your defenses. And if they succeed, it could cause irreparable harm to your company’s reputation — you only have to look at the news to see the effect a breach can have. That’s why Payment Card Industry (PCI) Security compliance is so important.

In the worst-case scenario, you could be prevented from accepting card payments entirely.

The security controls you put in place as part of a PCI Security compliance program can help keep cardholder data, and your hard-earned reputation, safe.

Our 2014 PCI Compliance Report offers a unique insight into the state of compliance with the PCI Data Security Standard (PCI DSS). That’s because it’s built on a unique foundation of data. We are one of the most respected security providers in the world, and our team of Qualified Security Assessors (QSAs) is one of the largest of its kind.

PCI COMPLIANCE SHOULD MATTER TO YOU AND TO EVERY EXECUTIVE IN YOUR BUSINESS.

$10B

$12B

$0

$6B

$4B

$2B

$8B

Global Card Fraud Losses ($Billions)

‘00 ‘01 ‘02 ‘03 ‘04 ‘05 ‘06 ‘07 ‘08 ‘09 ‘10 ‘11 ‘12Data from The Nilson Report, August 2013

32014 PCI COMPLIANCE REPORT

EXECUTIVE SUMMARYVERIZON 2014 PCI COMPLIANCE REPORT

PCI DSS MAKES BUSINESS SENSEUnless you’re a security expert, you probably think that PCI Security compliance has little to do with you — surely your security team has that in hand? The fact is, PCI Security compliance should matter to you and to everybody in your business — from cashier to CEO, and IT to marketing.

The PCI Security standards exist to help organizations protect cardholder data; data that you likely store, transmit, and process throughout your business — thousands of times a day, if you work for a medium or large organization. But no matter what size your organization, the countries you operate in, or your industry, this data is immensely attractive to attackers because it’s the easiest to convert into what they’re really after: money.

It’s quite likely that inefficient compliance programs are draining your budget and even disrupting your operations, due to the significant technology and process changes they involve.

But compliance programs can only protect you when they’re done right. As well as being experts in the PCI Security, our consultants and assessors have deep industry knowledge, gained through years of experience working directly within retail, hospitality, financial services, healthcare, and other sectors. This knowledge means we truly appreciate your challenges; put PCI requirements into the context of your industry-specific regulations and standards; and make recommendations not just in terms of IT change, but business process transformation, too.

Complying with PCI Security standards promotes good business practice. This can drive improvements in business processes; not just in IT, but across your organization.

So the questions you should be asking are: how can we work together as an organization to get PCI compliance right? And how can we make compliance work for us?

The Verizon 2014 PCI Compliance Report can help you answer those questions.

88.9%OF ORGANIZATIONS FAILED THEIR 2013 PCI BASELINE ASSESSMENT.

Since 2009, our Qualified Security Assessors (QSAs) have performed more than 4,000 assessments, across more than 500 enterprises, in over 50 countries. This experience gives us unparalleled insight into protecting cardholder data.

4 VERIZON ENTERPRISE SOLUTIONS

ONE WEAKNESS IS ALL IT TAKESCriminals only need one chink in your company’s armor to get in. But identifying and closing every potential weakness isn’t easy. The PCI DSS sets a minimum security standard with which all companies processing payments should comply.

Organizations may transmit, process, and store cardholder data across hundreds of systems — PCs, mobile devices, web servers, databases, and point-of-sale devices — using private and public networks, touched not only by customers but hundreds or thousands of staff. There are hundreds of controls that must be met, and some of the individual requirements are potentially quite challenging for any organization to attain.

That’s why it’s all the more alarming that some organizations fail to take compliance seriously. Some companies still treat compliance as a one-off annual scramble that the security team owns and the rest of the business grumbles about. But if you don’t work at compliance, just one new uncontrolled Wi-Fi access point, unprotected admin account, or unencrypted drive could take you out of compliance.

THE STATE OF COMPLIANCEOur research shows that between 2011 and 2013 there was significant variation across the 289 controls within PCI DSS 2.0 — from 98.0% compliance all the way down to just 39.6%.

And while our evidence also suggests that more organizations are achieving a high level of PCI Security compliance than in previous years, there’s still a long way to go.

In 2013, just 11.1% of organizations were fully compliant at the time of their annual baseline assessment — up from 7.5% in 2012.

Just over 70% of organizations that we assessed in 2013 were “nearly there” — complying with 81-99% of controls — up from 25% in 2012.

What caused this increase? We think that three of the main contributing factors were:• Increased awareness around data security: Efforts by the PCI governing body, the card

brands, and security vendors have paid off. More IT and business leaders understand the importance of data protection and how to achieve it.

• Increased appreciation of the value of compliance: The consequences of data breaches, and the value of implementing effective security controls, are now better appreciated across the business — partly due to increased media coverage of breaches.

• Increased maturity of the standard: Each version the DSS has addressed ambiguity and improved clarity around the interpretation and intent of the security controls.

66%OF BREACHES TOOK MONTHS, OR EVEN YEARS, TO DISCOVER.VERIZON 2013 DATA BREACH INVESTIGATIONS REPORT

Controls in order of % compliance

100%

0%

60%

40%

20%

80%

Average compliance across all requirements between 2011 and 2013 = 71.5%

Aver

age c

ompl

ianc

e

52014 PCI COMPLIANCE REPORT

DOES COMPLIANCE HELP?When we compared the PCI-DSS compliance of companies in our report with data from our 2013 Data Breach Investigations Report, we found that companies suffering a data breach were much less likely to be effective at:• Limiting access to cardholder data on a need-to-know basis. This is one of the golden rules

of security — covered by Requirement 7 of the DSS. This requirement came second to last in our index, suggesting that allowing too many people access to sensitive data increases your chances of facing a data breach.

• Log management: Device logs — covered by Requirement 10 of the DSS — may not sound very interesting, but they are crucial to spotting the early warning signs of an attack, and reducing the loss of data should a breach occur. This requirement came last in our index, suggesting that failing to manage logs effectively is a key contributor to your chances of suffering a loss of cardholder data.

HOW SECURE IS YOUR COMPANY?Within the headline figures above, there were significant variations in compliance:

INDUSTRY TO INDUSTRY

Between 2011 to 2013, twice as many retailers (69.7%) as hospitality organizations (35.0%) were compliant with at least 80% of the controls in DSS 2.0.

REGION TO REGION

In Europe, just 31.3% of organizations were compliant with at least 80% of controls, lagging the North America (56.2%) and Asia-Pacific (75.0%) regions.

REQUIREMENT TO REQUIREMENT

The majority (58.4%) of organizations in our study were found to effectively restrict access to cardholder data by business “need to know” (Requirement 7). But less than a quarter (23.8%) regularly tested security systems and processes in line with Requirement 11.

How does your company stack up? Our 2014 PCI Compliance Report can help you find out.

More than half of organizations that met 95% or more of the DSS 2.0 controls failed to assesses how well security systems and processes are tested.

Breached organizations were much less likely to be restricting access to cardholder data on a “need to know” basis.

1. Firewalls2. Default passwords3. Encryption4. Secure comms5. Anti-virus6. System patches7. Need to know8. Unique IDs9. Physical access10. Log management11. Ongoing testing12. People

-2

-1.6

-2.5

-0.8

-3.2

-2.8

-3.5

-2.1

-4.0

-2.5

-3.1

0.0

-3-4 -1

Data Breach Victims: Relative Compliance -2.3

Organizations investigated after a breach showed less effective log management policies.

Verizon PCI Relative Compliance Index-5

< Worse Better >

6 VERIZON ENTERPRISE SOLUTIONS

MAKING COMPLIANCE WORK FOR YOUIf you’re only looking at PCI Security compliance as a cost of doing business, you’re missing an opportunity. You should treat your compliance program as an investment to be leveraged. Done right, compliance can drive process improvements, identify opportunities to consolidate infrastructure, and generate new revenue for your business.

The benefits can be wide-ranging:

IMPROVED BUSINESS EFFICIENCY

PCI Security compliance initiatives provide a valuable opportunity to study and reconsider your business operations from end to end. Many organizations have found that the process of achieving compliance can have an immediate and positive effect through process optimization, improved internal communication, and greater management oversight of security and associated spending.

MORE EFFICIENT IT SERVICES

Efforts to comply with PCI Security standards almost always involve changes to IT as well as the business. Compliance programs offer an opportunity to take a strategic view of systems and investments that may have built up over years or even decades, leading to many benefits. For example, it might help you to make the case to consolidate and revamp infrastructure, producing benefits in security, business continuity, manageability, and system performance.

REDUCED RISK

A PCI Security compliance program is often the first time any serious attention is given to information assurance within an organization. The baseline set of controls it provides can be applied to other kinds of data and systems outside of the cardholder data environment, helping improve overall security and reducing exposure to risk.

INCREASED INNOVATION

Compliance isn’t just about plugging gaps. PCI Security compliance can help drive innovation. It can drive the adoption of new technologies, ways of working, and business models — for example, some retailers have deployed new point-of-sale systems to meet PCI requirements and realized significant benefits in increased throughput and advertising opportunities. The controls put in place as part of PCI Security compliance can also help build a foundation to enable greater use of new technologies, like cloud computing and mobile.

INCREASED CUSTOMER TRUST

Tomorrow’s customer is going to be even more demanding than today’s. Big data and advanced analytics offer unprecedented insight into customer behavior; but only if they trust you with their data. Applying PCI Security standards across your customer operations will help protect your customer’s privacy.

COMPLIANCE SHOULDN’T BE AN ANNUAL CHORE, IT SHOULD BE PART OF BUSINESS AS USUAL.

Intrigued? Why not download the full report and look at the other Verizon 2014 PCI Compliance Report resources, visit our website:verizonenterprise.com/pcireport/2014

Research Report

Verizon 2014 PCI Compliance Report

An inside look at the business need for protecting payment card information.

In 2013, 64.4% of organizations

failed to restrict each account with

access to cardholder data to just

one user—limiting traceability and

increasing risk. (Requirement 8)

72014 PCI COMPLIANCE REPORT

OUR RECOMMENDATIONS

1 DON’T UNDERESTIMATE THE EFFORT INVOLVED

PCI compliance needs time, money, and executive sponsorship. It needs to be part of everybody’s job — application developers, system administrators, executives, and even staff in shops and call centers — not just left to the IT security team.

2 MAKE COMPLIANCE SUSTAINABLE

There are thousands of tasks that an organization must complete throughout the year to stay compliant. To be sustainable, compliance needs to be embedded in “business as usual” as an ongoing process.

3 THINK OF COMPLIANCE IN A WIDER CONTEXT

The best thing you can do as an organization to simplify your PCI compliance workload and achieve real security is to put your compliance program within your wider governance, risk, and compliance strategy.

4 LEVERAGE COMPLIANCE AS AN OPPORTUNITY

Done right, PCI Security compliance can drive process improvements, identify opportunities to consolidate infrastructure, and generate additional equity. Think of it as an opportunity, not a burden.

5 FOCUS ON SCOPING

There is lots of misunderstanding around how to keep systems out of scope, but there are clear best practices to follow. The first is to store less data on fewer systems. This not only makes achieving compliance easier, it can also save you money on storage and backup.

verizonenterprise.com © 2014 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. GL00648-17 02/14

1. http://www.nilsonreport.com/publication_newsletter_archive_issue.php?issue=1023