» 

Blog

Posts Tagged with "PCI COMPLIANT"

Take the PCI DSS Quiz, Win a Free Tablet!

With the looming 2018 compliance deadlines and the constant news of data breaches, PCI DSS is on the minds of IT and cybersecurity professionals around the world. For organizations that reached compliance within the last year, you may be surprised to know that only 29% of companies are compliant a year after validation.

As processes, partners, and staff shift within an organization, keeping track of the measures required to maintain compliance can be difficult. The first step in becoming or maintaining PCI DSS compliance is understanding the requirements, and how they apply to your organization.

How well do you understand the PCI DSS requirements? 

Find out by taking this fun, interactive quiz for the chance to win a free Google Pixel C. That’s right, one lucky winner will be selected at random to win a free tablet just for taking the quiz.

 

So what are you waiting for? Test your PCI DSS skills below.

 

 

 

 

 


8 Shocking PCI Compliance Statistics

8 PCI statistics



If you work for any organization that processes credit or debit card information, you’ve heard of the Payment Card Industry Data Security Standard (PCI DSS), the regulatory standard aimed at preventing costly data breaches like the ones you may have heard about at Home Depot or TJX. But how much do you really know about PCI compliance? Here are some interesting PCI compliance statistics you may have missed.

 

1.     PCI compliance has increased by 167% since 2012

This is the best news on the list. According to Verizon’s latest PCI Compliance Report, the number of organizations that are fully compliant at the time of interim assessment is growing rapidly each year.

 

PCI statistics infographic2.     80% of organizations are still not compliant

While the increase in businesses taking PCI compliance seriously is important, the number of compliant organizations was very low to begin with. According to Verizon’s report, four out of five companies still fail at interim assessment.

 

 

3.     Only 26% of news media executives feel confident their businesses are compliant

A Newscycle Solutions survey found that only a small number of executives felt confident they had achieved PCI compliance. Another 13 percent were not certain. While this compliance statistic is a snapshot of a specific industry, it’s common across all types of organizations to feel unsure about meeting PCI standards. IT infrastructure becomes more complex every day, PCI rules change frequently, and many companies lack up-to-date expertise.

 

4.     Only 29% of companies are compliant a year after validation

Many businesses check PCI compliance off the list and then stop worrying about it. Unfortunately, less than a third have maintained compliance a year later. While successfully demonstrating PCI compliance to an auditor is a big relief, it won’t keep your business safe from security threats. The Verizon report recommends building a robust framework with security policies, procedures, and testing mechanisms to ensure compliance every day of the year.  

 

5.     You could pay $100,000 a month for being non-compliant…or much more

One of the least understood aspects of PCI compliance is that the fines for non-compliance are levied on the payment processors or credit card companies (the acquirers) that work with the non-compliant business, not the business itself. Those fines range from $5,000 to $100,000 a month. Of course, the acquirer will recoup the money from you, quite likely with added penalties and increased transaction fees.

 

6.     None of the companies breached during Verizon’s investigations were fully compliant

This statistic is just in case you thought that PCI standards were only important for your auditors. In Verizon’s ten years of having a forensics team investigate PCI compliance, they have never found a company that was fully PCI DSS compliant at the time it was breached. Take note.

 

7.     69% of consumers would be less inclined to do business with a breached organization

According to Verizon, the majority of consumers would be hesitant to do business with an organization that has suffered a data breach. If you’re having trouble justifying the cost of robust security solutions, this is what you need to think about: being complacent about PCI compliance today could lead to years of lost customers and a damaged reputation for your brand.

 

8.     The average total cost of a data breach is $4 Million

According to the Ponemon Institute, which tracks the costs of data breaches every year, the current amount is up 29 percent since 2013. Refer to #6 for why this statistic directly relates to your PCI compliance.

 

 

It’s clear that many organizations are struggling with PCI compliance. It doesn’t have to be difficult. Seek out security software solutions that protect your valuable data using up-to-date methods, generate detailed logs to keep auditors happy, and allow you to easily test for PCI compliance.

Interested in learning more about PCI DSS compliance? Explore our PCI DSS resource section for requirement details, industry whitepapers and recent articles.

 

Ready to try a managed file transfer solution that keeps your enterprise data transfers secure and helps you assess whether you are PCI compliant? Download a free 30-day trial of GoAnywhere MFT.

 


3 Data Breaches That May Have Been Avoided through PCI Compliance

data breaches avoided with PCI compliance

 

“Dear Valued Customer,

As you may have heard, on September 8, 2014, we confirmed that our payment data systems have been breached, which could potentially impact customers using payment cards at our U.S. and Canadian stores.”

 

This is an excerpt from an actual email distributed by a large retailer, in the wake of a massive data breach jeopardizing over 50 million credit cards. Since 2004, Payment Card Industry Data Security Standards (PCI DSS) has stood as a core regulation aimed at thwarting breaches like the above, and any organization that accepts, transmits or stores cardholder data must comply.

Now, here’s the shocking truth: In the latest PCI Compliance Report conducted by Verizon, none of the companies it had investigated in ten years had been fully PCI compliant at the time they were breached.

In many cases, companies achieve total PCI compliance once but don’t sustain it. According to the Verizon report, 80 percent of companies fail at interim assessment. Technology moves quickly, and compliance solutions and policies implemented in past years may not be enough to stand up to modern security threats.

Other organizations believe that they don’t have to worry about protecting data. They believe their business is too small to be the target of hackers, or too large and successful to be using outdated, inadequate security practices. Sometimes they believe that data breaches only affect big retailers, not other industries.

But PCI compliance needs to be taken seriously by everyone or the consequences can be devastating. Here are three organizations that experienced the detriment of non-compliance.

hom depot data breach logo#1: Data Breach at Home Depot Compromises 56 Million Credit Cards

In what went down in history as one of the worst retail data breaches of all time, malware infected Home Depot point-of-sale systems and stole millions of customer credit and debit cards. The Home Depot attack seems to be a case of relying on inadequate software solutions and policies for data breach prevention. Employees later said that the company used outdated antivirus software and failed to monitor the network for unusual behavior.

PCI standards require routine vulnerability scans, but according to employees, more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff. In Home Depot’s case, investing in a security software with the ability to audit security infrastructure for PCI compliance, may have been the difference between a $19.5 million data breach settlement, and business as usual.

OPM data breach logo#2: Office of Personnel Management Data Breach Affects Millions

After hackers attacked the Office of Personnel Management (OPM)’s servers and stole the personnel files of 4.2 million former and current government employees, as well as the security clearance background investigation information of millions more, a congressional investigation uncovered the organization’s security shortcomings.

Among many other findings, the report took especial issue with the department’s lack of two-factor authentication for employee access to sensitive data, claiming it was an oversight that could have prevented the security breach. This points to a key problem that PCI compliance is meant to address. It’s not enough to encrypt and protect your files during transfer, you need to monitor internal actors as well. A robust security solution will authenticate users, give them only the access they need, and maintain a detailed log of each user’s actions.

TJX data breach logo#3: Over 45 Million Credit Card Numbers Stolen in TJX Breach

TJX Companies, owner of popular home brands such as TJ Maxx, Marshalls, and HomeGoods, experienced a data breach in which more than 80GB of cardholder data was stolen over a period of 18 months. Before the company was able to detect and halt the breach, 45.6 records had been stolen.

Documents filed in court after the breach claimed that TJX had failed to comply with nine out of the twelve PCI DSS requirements. Factors contributing to the incident included an improperly configured wireless network, a failure to segment networks carrying cardholder data from the rest of TJX's network, and the storage of prohibited data. Two members of the PCI Standards Council later pointed to PCI compliance as the clearest way to protect data against a TJX-style breach.

PCI Compliance Can be Tricky, We Get It.

No company embarks on an initiative to avoid PCI compliance. You are trusted by your customers, partners and vendors to take the proper measures to secure and protect their sensitive payment data. It’s that trust that has kept your company successful for so many years!

We read about data breaches and attacks like these in the news on a regular basis, but we don’t pause often enough to audit our own data security practices. IT infrastructure in today’s enterprises is increasingly complex, especially for large companies with systems spread around the world like Home Depot. Add to that the fact that PCI compliance has multiple, complex requirements, and it can be daunting for IT and security teams to implement a sustainable process that ensures ongoing compliance.

PCI DSS compliance can be greatly simplified by using software solutions with features designed to help you achieve security and compliance. This type of software addresses PCI requirements, provides the information you need to satisfy an audit, and in some cases even helps you check whether you are meeting compliance standards.

PCI Compliance with Secure Managed File Transfer

File transfers are an essential point of vulnerability to consider when developing your security strategy. The most common file transfer pitfall is relying on inadequate methods such as poor FTP implementation practices, file sharing apps, and unencrypted email attachments.

A secure managed file transfer (MFT) platform guards your sensitive data against attacks with robust security and encryption methods, all while streamlining the file transfer process and saving your team time and resources that can be used to tackle other potential security issues.  Furthermore, a good MFT solution will have features like detailed audit logging and compliance assessments to eliminate the headache involved with ensuring your file transfers are compliant.

To make protecting data transfers as easy as possible, make sure your managed file transfer platform provides:

  • Secure connections for the transmission of sensitive data
  • Integration with existing critical applications
  • Role-based security and user authentication
  • Strong encryption methods
  • Detailed logs for audit reporting

Securely managing your data transfers is just one aspect of achieving PCI compliance, but it is an essential step toward fully protecting your enterprise against security threats.

 

Interested in learning more about PCI DSS compliance? Explore our PCI DSS resource section for requirement details, industry whitepapers and recent articles.

 

Assess the PCI compliance of your file transfers for free when you try GoAnywhere MFT for 30 days. Sign up for a trial here.


Are Your Data Transfers PCI Compliant? Find Out with the Security Settings Audit Report from GoAnywhere.

Complying with the Payment Card Industry’s Data Security Standard (PCI DSS) is mandatory for every organization around the world that processes credit or debit card information. GoAnywhere Managed File Transfer has several features, like detailed event logs and role-based security, to help users eliminate the security vulnerabilities that PCI DSS was designed to combat. For more information on how GoAnywhere makes PCI compliance easy, instantly download the guide

But PCI DSS requirements are complicated, and making sure you have checked all the boxes is often a time-consuming process for IT teams. Failing a PCI audit comes with hefty fines, so you don’t want to leave anything to chance. One important aspect of achieving compliance is securing your data transfers. GoAnywhere users have a quick and easy way to ensurethat their GoAnywhere implementation is compliant with PCI requirements for protecting data transfers: the Security Settings Audit Report. Painlessly checking data transfers off the list makes achieving overall PCI compliance much simpler. 


GoAnywhere Advanced Reporting Module

GoAnywhere helps you manage and monitor your system information and file transfer activity with a variety of detailed PDF reports. The Security Settings Audit Report is one of several reports that can be generated on-demand through the browser-based console or scheduled and distributed automatically.

The Security Settings Audit Report

For each of over 60 security settings, the report will indicate the status of your GoAnywhere installation. There are five possible outcomes for each setting tested:

  • Pass: The setting meets the PCI DSS requirement.
  • Fail: The setting does not meet the PCI DSS requirement. In this case, you will also be given a recommendation for remedying the problem.
  • Warning: You will need to look into this issue further to determine if you are compliant. Recommended actions are provided.
  • Not Applicable: A check on this setting is not required, typically due to GoAnywhere features that you are not licensed to use.
  • Fatal: A configuration problem is preventing GoAnywhere from accessing the appropriate data.

In addition to the status check and recommended actions, the report lets you know which section of PCI DSS the setting applies to.

The enhanced Security Settings Audit Report released with GoAnywhere version 5.4 includes some new checks. The report now ensures that Gateway is being used for inbound connections, that Gateway's control channel is protected with SSL/TLS and a shared secret value, that Admin users are not allowed to view Resource passwords, and that Admin users follow password age and history restrictions.

To get started with easy PCI compliance using GoAnywhere MFT and the Security Settings Audit Report, download a free 30-day trial of GoAnywhere.

 


Get the Guide: Achieving PCI Compliance with GoAnywhere MFT


Instantly Download the GoAnywhere MFT PCI DSS guideThe Payment Card Industry’s Data Security Standard (PCI DSS) was created to increase controls over cardholder data and reduce fraud. It applies to every organization around the world that processes credit or debit card information. Unfortunately, it’s not always clear to businesses which steps need to be implemented to ensure PCI compliance. Using the right software solutions can take a lot of the work out of your hands.

It’s essential to factor protection for your file transfers into your security and compliance plan. If you possess customer cardholder data, an unsecure transfer method leaves that data especially vulnerable to interception and theft. The most common file transfer pitfall is relying on inadequate methods such as free FTP tools, file sharing apps, and email attachments. Ideally, your file transfer solution will go beyond protecting your data with encryption and secure protocols and also help you to provide the information that an auditor needs through detailed reports and role-based access.

The penalties for failing a PCI audit are severe and will likely negate the savings of your “inexpensive” transfer method. Of course, complying with PCI DSS is not just about avoiding fines. PCI compliance should be seen as a set of core principles that will help you avoid a costly breach of your data—and having to tell your customers that you’ve allowed their credit card data to be stolen.

PCI DSS compliance is based on twelve main requirements. We’ve put together a guide that demonstrates how GoAnywhere Managed File Transfer addresses several of them. For example, GoAnywhere protects your files at rest (PCI Requirement 2) using strong encryption methods like AES and OpenPGP. Its role-based accounts allow you to restrict access to cardholder data by business need-to-know (PCI Requirement 7).

Instantly download the guide to see how GoAnywhere helps to make PCI compliance easy.

 

 

 


PCI DSS 2.0

According to a survey of 155 Qualified Security Assessors (QSAs) conducted by the Ponemon Institute, 60 percent of retailers lack the budgets to be fully compliant with the PCI DSS standards. As an example, the annual audit cost for a major retailer can be as high as $225,000.

According to the Ponemon Institute survey, restricting access to card data on a "need-to-know basis" (PCI DSS Requirement #7) is still the most important PCI DSS requirement, but also the most difficult to achieve. QSAs reported that the three most common business reasons for storing cardholder data are:

  • Handling charge-backs
  • Providing customer service
  • Processing recurring subscriptions

In order to service these customer's requirements, the credit card data must still be available for the various software applications. These industry processes require merchants to implement methods of protecting cardholders from theft.

Encryption the Best Technology

QSAs find the most significant threats to cardholder data are in merchant networks and databases. They believe firewalls, encryption for data at rest, and encryption for data in motion are the top three most effective technologies for achieving compliance.

Sixty percent of QSAs believe encryption is the best means to protect card data end-to-end. Forty-one percent of QSAs say that controlling access to encryption keys is the most difficult management task their clients face.

Getting a Handle on PCI Issues

So what's the best way to both satisfy the requirements of PCI and still make secured data transparent to applications? The strategy QSAs recommend is to lock down the cardholder data with technologies that:

  1. Restrict the access
  2. Encrypt the data
  3. Manage and control the encryption keys

These recommendations point to a need to make encryption and encryption-key access an integral part of the overall information system.

But too many organizations use ad hoc encryption/de-encryption utilities that slow processing, and often leave de-encrypted data in the open. In addition, without any integrated encryption key management process, there is really no security at all.  Unsecured encryption keys, just like data, can be lost, stolen, and misused. Access to those keys should be managed as an integral part of the overall security of the operating system.

The point is that the QSA's three recommendations go beyond the basic requirements of the PCI standard to actually secure the credit card data at the host - and to ensure that the data isn't misused when the data is at rest or while being transferred.

Linoma Software's data encryption suite Crypto Complete successfully addresses these QSA PCI requirements by providing data encryption and key management services that can be integrated seamlessly with IBM i (iSeries) applications.

Building on PCI DSS V2

Industry security analysts will still complain that PCI DSS needs to be a real security standard aimed at protecting card holder data, but Version 2.0 doesn't provide that value.  Consequently, we need to analyze what the QSAs are recommending, and then build on PCI DSS Version 2.0 to implement the best possible data security for our customers' credit card data.


Massachusetts Has Set the Bar for Securing Personal Data; Is Your Company Compliant?

Personal data privacy is one of the greatest concerns individuals have when doing business over the web and in person. It seems it is commonplace for a company to notify their customers that their personal and/or account information has been compromised by a hacker or a disgruntled employee (e.g. TJ Maxx, Wells Fargo, Bank of America). While you'd think businesses would do everything they can to protect their customers' personal information, they will weigh the risks and likelihood of a data breach happening versus the cost and time to implement such security measures. Knowing this, the payment card industry (PCI), government agencies and many states have put together a list of requirements that businesses must follow in order to do business with them or in their state. The problem is they often don't enforce these regulations and fines are only imposed after a data breach happens.

I just returned from Framingham, Massachusetts where we exhibited at the Northeast User Group conference. Massachusetts has a very strict data privacy law. Not only do businesses in Massachusetts need to protect their customers' personal information but so do businesses who have in their database the personal identifiable information of people from Massachusetts. One of the requirements says organizations must:

"Encrypt all transmitted records and files containing personal information that will travel across public networks."

Several of our customers mentioned our products have helped them meet the Massachusetts' data privacy requirements. They have implemented field encryption using Crypto Complete and are using our GoAnywhere Director to encrypt file transfers. They have minimized the risk of a data breach happening at their company by using both solutions. Unfortunately, I also had many other individuals stop by Linoma's Booth who said their management does not want to allocate any resources (time or money) towards securing personal and confidential data. They know they should do it and are required to do so, but it's just not high on their priority list right now. I'm afraid this mindset may be more popular than we think, which is concerning. Is the company you work for securing personal data?

Is your company looking for a solution to secure data? Find out today how we can help your company avoid sending the inevitable letter that your confidential information has been breached. Not only can we help you avoid facing public humiliation, our products can help save you time and money by streamlining the secure data transfer process. If you are interested in seeing how Linoma's solutions can encrypt your data at rest and when it's transferred, don't hesitate to contact us at 800-949-4696.

Brian Pick

Sales Manager