Digital Transactions Authoritative, insightful and timely information for payments professionals
The recent massive data breaches at RBS WorldPay Inc. and Heartland Payment Systems Inc. ?two merchant acquirers deemed in compliance with the Payment Card Industry data-security standard by qualified assessors?left many in the industry questioning the effectiveness of the PCI standard. But a newly released report from Verizon Business concludes that PCI compliance still is critically important to protecting confidential cardholder information. Of organizations that were subject to the PCI standard, a “staggering 81%” of those suffering data compromises were found non-compliant prior to being breached, according to the “2009 Verizon Business Data Breach Investigations Report” released on Wednesday. The study is based on Verizon's analysis of 285 million compromised records from 90 confirmed data breaches in 2008. “Nobody ever claimed that PCI was a guarantee that a PCI-compliant organization would never, ever suffer a data breach,” says Wade Baker, research and intelligence principal at Verizon Business. “I would say locking my front door at night is important. Someone may still break in but I'm still going to do that.” Of the breached organizations, 19% had either claimed compliance or been found compliant in their last assessment, Baker says. But in many cases, the breach occurred as much as 11 months after the assessment. “You have a whole year there where systems change and maybe even management changes and the IT environment changes,” he says. “It's certainly possible to be compliant at one point in time and not compliant at another point in time.” In addition, the assessment methodology may have errors. “The auditor would look at the systems that had card data on them,” Baker says. “But in over a third of cases, the breach happened to a system that really wasn't supposed to have card data on it … Those systems really would not be in scope for that audit.” Another “sobering” finding of the report is that third parties discovered 69% of the breaches, Baker says. Many organizations don't have technologies to detect intrusions, turn off or ignore the alarms because they generate a high number of false positives, or don't check their data-log files. “We find evidence of the breach in the company's own log file,” Baker says. “They have the information, it's just that the various technologies and processes aren't looking at and acting upon that information.” Cybercriminals also are increasingly targeting financial systems in search of PINs and associated credit and debit account numbers, Verizon found. Account numbers with PINs make it more difficult for the card companies to detect fraud. During 2008, attacks targeting financial services more than doubled, accounting for 30% of all data breaches, according to the report. Financial services accounted for more than nine of 10 of the more than 285 million records compromised. Other key findings from the report include: –Sixty-four percent of the breaches were attributed to hackers who used a combination of methods. In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware (malicious software) on a system to collect data. –Despite widespread concern over desktop computers, mobile devices, and other hardware used by consumers or employees, 99% of all breached records were compromised from servers and applications. –About 20% of 2008 cases involved more than one breach. Multiple distinct entities or locations were individually compromised as part of a single case, and half of the breaches consisted of interrelated incidents often caused by the same individuals. Verizon Business is a unit of New York City-based telecommunications giant Verizon Telecommunications Inc.
