What can we learn about PCI compliance from data breaches in 2017?  

Noncompliance to PCI Requirements

data breach, data breach trends, 2017 data breaches2017 was a year marked by massive hacks like Equifax, rampant malware like WannaCry and Petya, notable vulnerabilities like KRACK, as well as changes to and guidance about the Payment Card Industry Data Security Standard (PCI DSS).

But one thing remains the same year after year; complying with the PCI DSS makes organizations more secure. Failure to comply with even one of the PCI requirements can set a company up for inevitable data breach and theft. Our Forensics department has compiled statistics from their own PCI data breach investigations in 2017. This PCI Data Breach Visualization shows which specific failures in compliance contributed to the data breaches our Forensics department investigated.

data breach, 2017 data breaches, data breach forensics

Most Common Contributors to a Data Breach

At a rate of 73% of all investigated breaches at SecurityMetrics, noncompliance with PCI requirement 10 “Implement Logging and Log Monitoring” was the issue most frequently associated with a data breach.

Log monitoring systems (e.g., Security Information and Event Management [SIEM] tools) track network activity, inspect system events, alert of suspicious activity, and store user actions that occur inside your systems. They can help warn you about a data breach, providing you with data known as event logs, audit records, and audit trails. Regular log monitoring means a quicker response time to security events and better security program effectiveness.

In second place for contribution to data breaches is noncompliance with PCI requirement 11, “Conduct Vulnerability Scans and Penetration Testing.” These scans and tests are critical for finding vulnerabilities and testing your in-place security measures. There are different types of vulnerability scans and penetration tests depending on your business or PCI audit needs.

2017 Forensic Data Takeaways and Tips

The average organization was vulnerable for 1,549 days
  • The “window of vulnerability” is the time during which a system, environment, software, and/or website could potentially be exploited by an attacker. 
  • To reduce the window of vulnerability, implement and monitor standard security controls as found in the PCI DSS. Testing your security through traditional means like penetration testing and vulnerability scanning is a great place to start. 
Cardholder data was captured for an average of 237 days
  • This is the window of time during which data is being recorded, gathered, and/or stored from an unauthorized source.
Cardholder data was exfiltrated for an average of 264 days
  • “Exfiltration” is the unauthorized transfer of data from a system (e.g., exporting).
data breach, data breach trends, 2017 data breaches45% of organizations were breached through remote access
  • Remote access remains one of the most common hacking vectors because businesses often configure their remote access application insecurely. 
  • Limit employee access to remote access and implement multi-factor authentication.
21% of organizations were breached through malicious code
39% of organizations had memory-scraping malware on their system
97% of organizations had firewalls in place at time of compromise, but at least 15% of firewalls did not meet PCI requirements
  • Make sure firewalls are configured correctly and assign someone to monitor your firewall logs daily. You need to document your firewall-related policies and procedures, as well as regularly review and test your firewall rule sets. 

Now is the time to look back at forensic lessons and apply them to your current security practices. You can look forward to increased security in 2018 if you adjust your security practices to more closely follow the Payment Card Industry Data Security Standard.