1. technology and computing
2. computer security
3. network security

Industry Report
Verizon 2015 PCI Compliance Report
FINANCIAL SERVICES
Despite being
at the centre
of the payment
ecosystem, financial
services companies
lag behind other
industries when it
comes to PCI DSS
compliance.
Your business is built on trust: whether you’re a payment service provider, processor,
card issuer, or acquirer — your customers rely on you to keep their information
secure. But criminals are trying to breach your defenses to capture cardholder data.
And if they succeed, it could cause irreparable harm to your own reputation as well as
your customers’. PCI DSS compliance is a key way of managing this risk.
Companies that experience a data breach
almost always show much lower compliance
levels than organizations we assess as part of
our usual annual PCI validation assessments.
As a result, we’re confident that PCI DSS
compliance is a useful baseline for comparing
your own security preparations against your
peers in financial services and other sectors.
COMPLIANCE IS AN INDICATOR OF SECURITY
Security and risk management are not
the same as compliance with the PCI Data
Security Standard (PCI DSS), but they are
directly connected.
Our research shows a strong
correlation between compliance
with the PCI DSS and the chances
of suffering a data breach.
Financial services firms operate at the heart
of the payment ecosystem and in both the
merchants’ and consumers’ eyes, have a key
responsibility for securing their payment data
and controlling fraud. Yet our analysis in the
Verizon 2015 PCI Compliance Report shows
that financial services actually performed lower
than the whole industry average. This document
is a snapshot of the findings, focused on the
financial services sector.
When Verizon forensic investigators are called
in to perform a data breach investigation, we
determine the status of compliance with PCI
DSS requirements at the time of the breach.
PCI DSS COMPLIANCE AT INTERIM ASSESSMENT
ALL INDUSTRIES
100%
8
%
of financial services
firms were validated
as fully compliant
with all the controls
of the PCI DSS at
interim assessment
from 2012–2014 —
compared to 12%
across all industries.
96%
93%
93%
97%
92%
96%
97%
95%
97%
95%
81%
92%
80%
60%
Maintaining Firewalls
41%
Securing Configurations
40%
Protecting Stored Data
0%
20%
37%
50%
20%
41%
Restricting Access
57%
Authenticating Access
53%
37%
33%
59%
Logging and Monitoring
47%
43%
Testing Security Systems
30%
27%
Maintaining Security Policies
46%
Average
80%
30%
55%
Maintaining Secure Systems
60%
33%
52%
Maintaining Anti-Virus
40%
30%
38%
Protecting Data in Transit
Controlling Physical Access
FINANCIAL SERVICES
20%
40%
Full
23%
43%
Full
Average
Figure 1: Compliance in financial services by PCI DSS Requirement (1–12); 2012–2014
100%
This report uses data from
validation assessments
carried out between 2012
and 2014, covering both
PCI DSS 2.0 and 3.0. When a
new version of the Standard
is introduced, compliance
often drops and then rises
again as companies adapt.
Therefore, as we go into
DSS 3.0, we’ve taken a
view of how key industries
have performed across the
lifetime of DSS 2.0. For full
details of our methodology,
please see the full report.
84
%
84% of
organizations
across all sectors
that had suffered a
data breach in 2014
had failed to comply
with Maintaining
Secure Systems
[Requirement 6].
HOW FINANCIAL SERVICES COMPANIES FARED
LEGACY SYSTEMS COMPLICATE COMPLIANCE
To ensure the most robust analysis, we gathered
all our data from PCI DSS assessments
across 2012–2014. Across all sectors, the
average compliance was 94%. But only 12% of
organizations were validated as fully compliant
with the Standard at the time of their interim
assessment during this three-year period.
Of the 12 security disciplines studied, financial
services companies performed worst at
Maintaining Secure Systems [Requirement
6]. While average compliance with this
Requirement in financial services stood at 98%
— higher than the all industry average — only
20% were fully compliant.
The financial services industry
still lagged behind other sectors in
overall compliance.
MAINTAINING SECURE SYSTEMS
Financial Services
In financial services, average compliance stood
at 93% in the same three-year period, very close
to the all-industry average. Within the sector,
payment service providers outperformed banks,
while card issuing processors have been the
slowest in successfully adopting PCI DSS.
All industries
But only 8% of financial services organizations
were validated as fully compliant at the time
of their interim assessment, and the financial
services sector scored below the all-industry
average in every one of the 12 security
disciplines governed by the PCI DSS.
This Requirement calls for you to guard against
emerging vulnerabilities through effective
software patching.
What’s the explanation? In our experience
of conducting PCI DSS assessments, it’s not
that finance organizations are neglecting
security entirely or lacking a documented
security strategy, it’s that they have been
slow to update it.
Policies are often outdated, even
locked away on paper where
they’re hard for staff to refer to,
apply, or update.
These policies are rarely aligned directly to the
specific requirements of the PCI Data Security
Standard, or more importantly to the changing
technology and business-risk landscape.
20%
98%
41%
96%
PCI DSS Requirement 6, 2012-2014 data
Research by our RISK team, which produces
our Data Breach Investigations Report, found
that 84% of organizations that had suffered a
data breach in 2014 had failed to comply with
PCI DSS Requirement 6.
Financial services organizations
scored less than half as well as
the all-industry average for full
compliance with Maintaining
Secure Systems.
This Requirement [Maintaining Secure Systems]
is clearly challenging for all sectors, but it’s
particularly difficult for finance organizations
due to their use of proprietary software,
bespoke application development practices, and
legacy systems, including mainframes. If this is
the case, you may struggle with the amount of
effort that’s needed to bring your systems in line
with the modern secure coding and development
practices that PCI DSS specifies.
And it’s not just your own systems and
applications that you need to keep secure.
Third-party systems are also covered by this
Requirement. This includes any software
development or configuration that’s outsourced
to another company, infrastructure maintained
at data centers and contact centers, as well as
the systems used by kiosks and point of sale
(POS) terminals.
IT’S NOT ENOUGH TO THINK YOU’RE SECURE
PROTECTING STORED DATA
Finance organizations also had problems with
Testing Security Systems [Requirement 11].
Just 23% of organizations within the financial
services industry fully met all the required
security controls.
Protecting Stored Data [Requirement 3] has
particular relevance in the financial services
sector due to regulation around retaining
records — up to seven years in some cases.
Organizations clearly struggle to make regular
testing part of business as usual.
TESTING SECURITY SYSTEMS
Financial Services
23%
96%
All industries
27%
81%
PCI DSS Requirement 11, 2012-2014 data
Testing Security Systems had the
lowest level of full compliance
across all industries at just 27%
— in fact 14 of the 20 testing
procedures with the lowest
compliance were within this
Requirement 11.
The area where finance organizations struggled
most was performing internal vulnerability
scans [Control 11.2].
Your vulnerability scans should cover all
in-scope systems, both external-facing
and internal ones too. These scans should
be conducted at least quarterly and
rescanned as needed until all significant
vulnerabilities are resolved.
As well as these regular scans, PCI DSS
requires companies to conduct a scan after
any significant change to the cardholder
data environment.
External scans must be performed by an
Approved Scanning Vendor (ASV) but internal
scans can be conducted by in-house teams or
outsourced to an independent third party. But
both need to be conducted and documented.
Consistent testing exposes the security holes in
networks and applications, so you can then close
them. To maintain the security of cardholder
data it’s vital that you find and fix vulnerabilities
in applications and infrastructure quickly.
Attackers often focus on compromising stored
data. As reported in the Verizon 2014 Data
Breach Investigations Report, almost half
(48%) of compromises involving payment
card data breaches involved data that was
stored unencrypted.
Encryption can play an important role in
complying with this Requirement. You should
consider providing your customers with a P2PE
solution, using tokenization, or outsourcing
any processes involving cardholder data or
authentication data to reduce the amount of
data you need to protect.
It’s important to have robust
procedures for disposing of
records when no longer needed.
Full compliance in this area [Requirement
3] across all industries was 38%, the
financial services sector was significantly
behind this on 30%.
While full compliance is lower in financial
services, average compliance is actually slightly
higher, at 97% versus 93%. This suggests that
generally financial services organizations are
pretty good at complying with most of the
controls, but fall at the last hurdle.
PROTECTING STORED DATA
Financial Services
30%
97%
All industries
38%
93%
PCI DSS Requirement 3, 2012-2014 data
It’s important to remember that this
Requirement doesn’t just cover information held
electronically, but also paper-based records.
It’s important to have robust procedures for
ensuring that records are held securely and
disposed of properly when no longer required.
23%
Just 23% of
financial services
organizations
were compliant
with all the
demands of Testing
Security Systems
[Requirement 11] in
2012 to 2014.
WHAT’S THE RIGHT APPROACH?
29%
Less than a third
of all companies, in
2014, were found to
be fully compliant
when reassessed
within the 12
months following
a successful PCI
DSS compliance
validation.
Like all sectors, the financial services sector has
strengths and weaknesses in its handling of risk,
security, and compliance.
It’s vitally important that you are aware of the
specific issues raised by a PCI DSS assessment,
and for you to correct them in order to achieve
compliance and close specific vulnerabilities.
But that shouldn’t mean you lose sight of
the big picture.
Your overall security approach shouldn’t just
involve a set of preventative measures: while
putting in place things like firewalls and access
controls are a valuable baseline of defense for
any organization that processes payments, it’s
vital to also look at detecting the inevitable
security attacks as early as possible, mitigating
damage, and identifying residual risk.
No organization should rely on their annual
PCI DSS compliance assessment to serve
this role — an assessment can uncover gaps,
but it is a snapshot and no substitute for a
comprehensive and ongoing IT security and riskmanagement strategy.
Taking a broader approach to governance,
risk, and compliance is the only answer. We
recommend you coordinate a plan for all kinds of
risk — not only hackers trying to steal payment
card data. When you carefully and continuously
evaluate your whole infrastructure, people and
processes, you can not only better protect your
customers’ data, but uncover opportunities to
consolidate infrastructure and make operations
more efficient, which can help offset the cost of
investments in security.
HOW CAN WE HELP?
Having conducted more than 5,000 PCI DSS assessments since 2009, we have an unrivaled
perspective on the world of payment card security, and the solutions to help you with the most
pressing compliance challenges:
1. Make PCI DSS compliance sustainable
It’s not enough just to comply at the time of assessment. You need to introduce
effective security controls and maintain them. Our Professional Services offer
practical solutions that can help you improve compliance management and succeed in
making security and compliance sustainable against the latest PCI security standards.
2. Take control of vulnerabilities
It’s vital that you identify and address security issues before they become serious
problems. Our patch management and associated Vulnerability Management Services
complement standard penetration tests and help you detect and prioritize complex
vulnerabilities in applications and infrastructure. We also help with remediation,
including secure coding, plus best practice change management.
Having conducted
more than 5,000 PCI
DSS assessments
since 2009, we
have an unrivaled
perspective on the
world of payment
card security.
3. Keep control of access
Restricting access to data on a need-to-know basis will help to keep your data secure.
Our Identity and Access Management services can help you define and implement
role-based access management, then automate identity management. This limits
employees’ access to only the information that they need to do their job, protecting
not just cardholder data but other commercially sensitive information too.
The Verizon 2015 PCI Compliance Report
is the industry’s go-to resource for datadriven insights on payment card security and
compliance. To find out more, visit:
verizonenterprise.com/pcireport/2015.
verizonenterprise.com
© 2015 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon
Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. WBE16316 3/15