Verizon 2017 Payment Security Report.

Overview Webinar

Thursday, September 7th

PROPRIETARY STATEMENTThis document and any attached materials are the sole property of Verizon and are not to be used by you other

than to evaluate Verizon’s service.

© 2017 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans

identifying Verizon’s products and services are trademarks and service marks or registered trademarks and

service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All

other trademarks and service marks are the property of their respective owners.

Please advance to the next slide where you can watch the video. The total slide deck

is available for your reference after the video. Thank you.

5

Payment Security Experts

Rodolphe Simonetti

Global Managing Director

Security Assurance Consulting

Verizon Enterprise Solutions

Ron Tosto

Global Sr. Manager

Payment Security Practice

Verizon Enterprise Solutions

Franklin Tallah

Senior Manager

Payment Security Practice

Verizon Enterprise Solutions

Ciske Van Oosten

Senior Manager

Payment Security Practice

Verizon Enterprise Solutions

Would you be more or less likely to do business with a company that had lost customers’ personal data?

You can’t afford to ignore payment security.

66%say they would be unlikely to do business with an organization that experienced a breach where their financial and sensitive information was stolen1.

1. Gemalto, Customer Loyalty Study, 2016

The 2017 Payment Security Report.

• This report provides a thorough investigation of the challenges of securing customers’ payment data.

• It examines the state of payment security, and looks at what needs to improve.

• Based on our PCI assessments, the report explores compliance with PCI DSS in great detail, and is an invaluable resource for security and compliance professionals.

8

Click to edit Master title style

Click to edit Master subtitle style

What’s the difference between compliant and secure?

PCI DSS compliance doesn’t necessarily mean that you’re secure.

But failing it means that you’re definitely not.

Over the past 12 years, not a single

breached organization we investigated

was fully PCI DSS compliant at the

time of the breach*.

*Payment card data breaches investigated by the VTRAC | IR Team

7

11

There’s good news: full compliance continued its upward progression.

12

But still almost half of organizations analyzed failed to maintain compliance.

Our research shows that 45% of organizations fall out of PCI DSS compliance within nine months of validation.

14

The control gap—the average percentage of controls organizations didn’t have in place—has increased in non-compliant companies.

These aren’t just a few insignificant rules.

Many of the controls not in place are essential to mitigating security threats.

17

Full Compliance

The percentage of

organizations achieving full

compliance improved

across all 12 Key

Requirements compared

with 2015.

Requirement 11 (Security

Testing) retained its

traditional place at the

bottom of the list in terms of

full compliance (71.9%)

Requirement 1 (Firewall

configurations) showed the

largest improvement in full

compliance, increasing by

10.4pp.

18

Five out of six of the worst performers are the same now as they were in 2013.

Requirement 11 [Test

security systems and

processes] has been the

perennial bottom of the

pack, but in the last couple

of years we’ve seen it lose

last place to Requirement 4

[Protect data in transit].

Though Requirement 11

retains the dubious honor

of last place when you look

at full compliance.

IT services

What can you do?

• Use vulnerability scanning,

penetration testing, file

integration monitoring and

intrusion detection to help

identify and address

weaknesses.

What can you do?

• Establish, update, and

communicate effective

security policies and

procedures.

• Align these with the results of

regular risk assessments to

help address any

weaknesses.

3. Protect stored

cardholder data 11. Regularly test security

systems/processes 12. Maintain an information

security policy

Control gap

What can you do?

• When sensitive data has to be

stored, encryption and strong

hashing can dramatically

reduce risk. But don’t store

data unless it’s essential to.

45

Key requirement 11

29

of companies assessed after

a data breach were not in

compliance with Requirement 11*

83.6%

23

The lifecycle of PCI DSS controls

24

Terrifyingly short

How secure is your password? How long would you make it if you were

storing primary account numbers (PANs) in clear text? Much to their horror,

during one assessment a QSA found an admin account with access to 70

million PANs protected by the weakest password we’ve ever seen—a single

character! The operator’s defense was that it was a “special character”.

QSA horror story

25

The phantom router

When auditing one organization, we were told that the requirements of PCI

DSS governing Wi-Fi didn’t apply to them as they didn’t use it. But during

the assessment, the QSA spotted an unsecured Wi-Fi network. The IT

security team was shocked. After some investigating, it turned out that it

wasn’t some paranormal activity. With the server room in the basement and

the IT department located on the third floor, one IT admin was tired of

traipsing up and down the stairs, so he had installed a router to access the

servers from his desk. More slob than specter.

QSA horror story

Keep your options open.

Think of how your controls will adapt to changes in the business and/or IT environment. Resilience is key.

Make everyone aware of what they need to do.

Assign roles, define responsibilities and verify that everyone understands what’s expected of them.

Keep the ultimate goal in mind.

The point of payment security is to safeguard customer data, not just pass an assessment.

29

Read the 2017 Payment Security Report to get the full picture:

VerizonEnterprise.com/PaymentSecurity

Contact us:

Paymentsecurity@Verizon.com

Thank you.

Q&A

Appendices

Full compliance

26

Based on VZ PCI assessments conducted in the 2017 Payment Security Report

33

Average control gap

Based on VZ PCI assessments conducted in the 2017 Payment Security Report

Full compliance

28

Based on VZ PCI assessments conducted in the 2017 Payment Security Report

Key requirements

Install and maintain a

firewall configuration

This Requirement covers the

correct usage of a firewall to filter

traffic as it passes between internal

and external networks, as well as

traffic to and from more sensitive

areas within the company’s

internal networks.

1

29

Key requirements

Do not use vendor-

supplied defaults

This Requirement covers the

controls that reduce the available

attack surface on system

components by removing unneeded

services, functionality, and user

accounts, and by changing insecure

vendor default settings.

2

30

Key requirements

Protect stored

cardholder data

This Requirement covers the

storage of CHD and SAD on system

components, such as servers and

databases. It states that all stored

data must be protected using

appropriate methods, no matter

what type of system it’s stored in.

And it must be securely deleted

once no longer needed.

3

31

Key requirements

Protect data

in transit

This Requirement is designed

to protect cardholder data and

sensitive authentication data

transmitted over unprotected

networks, such as the internet,

where attackers could intercept it.

4

32

Key requirements

Protect against

malicious software

This Requirement concerns

protecting all systems commonly

affected by malicious software

against viruses, worms, and trojans.

5

33

Key requirements

Develop and

maintain secure

systems

This Requirement covers the security of

applications, and particularly change

management. It governs how systems and

applications are developed and

maintained, whether by the organization or

third parties. It recognizes that the threat

landscape is always changing, and

compliance measures need to be

adapted accordingly.

6

34

Key requirements

Restrict

access

This Requirement specifies the

processes and controls that should

restrict each user’s access rights

to the minimum they need to

perform their duties—a “need-to-know”

basis.

7

35

Key requirements

Authenticate

access

This Requirement sets standards

for managing user identities and

authentication methods, including

passwords. Before DSS 3.0, it was

called “Assign a unique ID to each

person with computer access”.

8

36

Key requirements

9 Control physical

access

This Requirement stipulates that

organizations must restrict

physical access to all systems in

the DSS scope and all hard

copies of CHD.

37

Key requirements

10 Track and monitor

access to networks

and cardholder data

This Requirement covers the

creation and protection of

information that can be used for

tracking and monitoring access to

all systems in the DSS scope,

including databases, network

switches, firewalls and clients.

38

Key requirements

11 Test security

systems and

processes

This Requirement covers the use

of vulnerability scanning,

penetration testing, file integrity

monitoring, and intrusion

detection to identify and assess

weaknesses.

39

Key requirements

12 Maintain an

information

security policy

This Requirement stipulates that

organizations actively manage their

data protection responsibilities by

establishing, updating, and

communicating security policies

and procedures aligned with results

of regular risk assessments.

40

Compliance by industry

Financial services

2. Do not use vendor

supplied defaults

What can you do?

• Remove unnecessary

services, functionality and

user accounts.

• Change the default username

and passwords on all your

devices.

11. Test security systems/

processes 12. Maintain an information

security policy

Control gap

What can you do?

• Use vulnerability scanning,

penetration testing, file

integration monitoring and

intrusion detection to help

identify and address

weaknesses.

What can you do?

• Establish, update, and

communicate effective

security policies and

procedures.

• Align these with the results of

regular risk assessments to

help address any

weaknesses.

42

Retail

What can you do?

• When sensitive data has to be

stored, encryption and strong

hashing can dramatically

reduce risk. But don’t store

data unless it’s essential to.

What can you do?

• Assign a unique username

and password to each user.

• Segment data and grant

access on a need-to-know

basis.

What can you do?

• Establish, update, and

communicate effective

security policies and

procedures.

• Align these with the results of

regular risk assessments to

help address any

weaknesses.

Control gap

3. Protect stored

cardholder data 8. Authenticate

access 12. Maintain an information

security policy

43

Hospitality

What can you do?

• Simplifying and consolidating

access control and its

administration is key.

• Train administrators to have a

consistent understanding of

“insecure” services, ports and

protocols.

What can you do?

• Prevent and test for known

weaknesses and common

design or coding flaws.

• Identify vulnerabilities and

remediate against them by

applying security patches.

1. Install and maintain a

firewall configuration 3. Protect stored

cardholder data 6. Develop and maintain secure

systems and applications

What can you do?

• When sensitive data has to be

stored, encryption and strong

hashing can dramatically

reduce risk. But don’t store

data unless it’s essential to.

Control gap

44