Webinar - Finance Services PCI Compliance: How compliant is your payment security?

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Verizon 2017 Payment Security Report.Finance and Insurance Webinar

Tuesday, September 19th



This document and any attached materials are the sole property of Verizon and are not to be used by you

other than to evaluate Verizon's service.

© 2017 Verizon. All rights reserved. The Verizon name and logo and all other names, logos and slogans

identifying Verizon's products and services are trademarks and service marks or registered trademarks

and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other

countries.

All other trademarks and service marks are the property of their respective owners.

2

Proprietary statement



Please advance to the next slide where you can watch the video. The total slide deck is available for your

reference after the video. Thank you.

3


distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4

Payment Security Experts

Rodolphe Simonetti

Global Managing Director

Security Assurance

Consulting

Verizon Enterprise

Solutions

Ron Tosto

Global Sr. Manager

Payment Security Practice

Verizon Enterprise

Solutions

Matt Arntsen

Principal Consultant


Verizon Enterprise

Solutions

Ciske Van Oosten

Senior Manager


Verizon Enterprise

Solutions

Confidential and proprietary materials for authorized Verizon

personnel and outside agencies only. Use, disclosure or distribution

of this material is not permitted to any unauthorized persons or third

parties except by written agreement.

The 2017 Payment Security Report.

• This report provides a thorough investigation of

the challenges of securing customers’ payment

data.

• It examines the state of payment security, and

looks at what needs to improve.

• Based on our PCI assessments, the report

explores compliance with PCI DSS in great

detail, and is an invaluable resource for

security and compliance professionals.

5



There’s good news: full compliance continued its upward progression.

But still almost half of organizations analyzed failed to maintain compliance.



Compliance for Financial Services



Industry Comparison: Financial Services

Full compliance by region

Americas 35.0%

Europe 58.3%

Asia Pacific 81.8%

Full Compliance by industry:

All 55.4%

Financial Services 59.1% Second best

Retail 50.0%

Hospitality 42.9%

IT Services 61.3% Best



DSS Requirement 1Install and maintain a firewall configuration

Financial Retail Hospitality IT Services

Req 1 3.7% 13.6% 3.6% 2.4%

3.7%

13.6%

3.6%2.4%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

% C

on

tro

ls N

ot

in P

lace


Req 1 96.3% 86.4% 96.4% 97.6%

96.3%

86.4%

96.4%97.6%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

% C

on

tro

ls i

n P

lace

Best

Worst

In place Control gap



DSS Requirement 2Do not use vendor-supplied defaults

10


Req 2 6.1% 15.2% 4.9% 4.1%

6.1%

15.2%

4.9%4.1%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

% C

on

tro

ls N

ot

in P

lace


Req 2 93.9% 84.8% 95.1% 95.9%

93.9%

84.8%

95.1%95.9%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

% C

on

tro

ls i

n P

lace

Best

Worst




DSS Requirement 3Protect stored cardholder data

11


Req 3 7.8% 21.5% 8.5% 3.9%

7.8%

21.5%

8.5%

3.9%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

% C

on

tro

ls N

ot

in P

lace


Req 3 92.2% 78.5% 91.5% 96.1%

92.2%

78.5%

91.5%

96.1%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

% C

on

tro

ls i

n P

lace

Best

Worst




DSS Requirement 4Protect data in transit

12


Req 4 7.4% 23.0% 7.8% 9.7%

7.4%

23.0%

7.8%9.7%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

% C

on

tro

ls N

ot

in P

lace


Req 4 92.6% 77.0% 92.2% 90.3%

92.6%

77.0%

92.2%90.3%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

% C

on

tro

ls i

n P

lace

Best

Worst




DSS Requirement 5Protect against malicious software

13


Req 5 2.2% 9.8% 0.4% 1.9%

2.2%

9.8%

0.4%1.9%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

% C

on

tro

ls N

ot

in P

lace


Req 5 97.8% 90.2% 99.6% 98.1%

97.8%

90.2%

99.6%98.1%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

% C

on

tro

ls i

n P

lace

Best

Worst




DSS Requirement 6Develop and maintain secure systems

14


Req 6 3.7% 16.3% 6.6% 0.6%

3.7%

16.3%

6.6%

0.6%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

% C

on

tro

ls N

ot

in P

lace


Req 6 96.3% 83.7% 93.4% 99.4%

96.3%

83.7%

93.4%

99.4%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

% C

on

tro

ls i

n P

lace

Best

Worst




DSS Requirement 7Restrict access

15

Best

Worst


Req 7 1.1% 4.2% 1.3% 0.3%

1.1%

4.2%

1.3%0.3%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

% C

on

tro

ls N

ot

in P

lace


Req 7 98.9% 95.8% 98.7% 99.7%

98.9%

95.8%

98.7% 99.7%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

% C

on

tro

ls i

n P

lace




DSS Requirement 8Authenticate access

16

Best

Worst


Req 8 3.4% 9.6% 7.4% 1.2%

3.4%

9.6%

7.4%

1.2%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

% C

on

tro

ls N

ot

in P

lace


Req 8 96.6% 90.4% 92.6% 98.8%

96.6%

90.4%

92.6%

98.8%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

% C

on

tro

ls i

n P

lace




DSS Requirement 9Control physical access

17

Best

Worst


Req 9 1.6% 13.3% 6.6% 2.8%

1.6%

13.3%

6.6%

2.8%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

% C

on

tro

ls N

ot

in P

lace


Req 9 98.4% 86.7% 93.4% 97.2%

98.4%

86.7%

93.4%

97.2%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

% C

on

tro

ls i

n P

lace




DSS Requirement 10Track and monitor access to networks and cardholder data

18

Best

Worst


Req 10 5.3% 11.7% 2.0% 4.2%

5.3%

11.7%

2.0%

4.2%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

% C

on

tro

ls N

ot

in P

lace


Req 10 94.7% 88.3% 98.0% 95.8%

94.7%

88.3%

98.0%

95.8%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

% C

on

tro

ls i

n P

lace




DSS Requirement 11Test security systems and processes

Best

Worst


Req 11 10.6% 16.2% 6.9% 5.5%

10.6%

16.2%

6.9%5.5%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

% C

on

tro

ls N

ot

in P

lace


Req 11 89.4% 83.8% 93.1% 94.5%

89.4%

83.8%

93.1%94.5%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

% C

on

tro

ls i

n P

lace




DSS Requirement 12Maintain an information security policy

Best

Worst


Req 12 4.4% 11.1% 7.6% 2.2%

4.4%

11.1%

7.6%

2.2%

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

% C

on

tro

ls N

ot

in P

lace


Req 12 95.6% 88.9% 92.4% 97.8%

95.6%

88.9%

92.4%

97.8%

70.0%

75.0%

80.0%

85.0%

90.0%

95.0%

100.0%

% C

on

tro

ls i

n P

lace




Financial services

2. Do not use vendor

supplied defaults

What can you do?

• Remove unnecessary

services, functionality and

user accounts.

• Change the default username

and passwords on all your

devices.

11. Test security

systems/ processes 12. Maintain an information

security policy

Control gap

What can you do?

• Use vulnerability scanning,

penetration testing, file

integration monitoring and

intrusion detection to help

identify and address

weaknesses.

What can you do?

• Establish, update, and

communicate effective

security policies and

procedures.

• Align these with the results of

regular risk assessments to

help address any

weaknesses.

42



Bottom 20 Controls: Requirement 2

RETAIL20 10.7 79.2%

19 6.2 79.3%

18 12.6 78.7%

17 6.3 79.1%

16 9.9 76.0%

15 3.5 77.5%

14 11.2 76.8%

13 12.2 76.5%

12 2.3 75.5%

11 3.4 76.3%

10 10.8 72.7%

9 3.1 71.8%

8 9.10 70.6%

7 12.7 70.6%

6 3.6 70.7%

5 3.7 70.7%

4 9.5 67.9%

3 4.1 66.7%

2 4.2 66.7%

1 6.6 60.0%

HOSPITALITY20 12.10 91.0%

19 2.5 90.0%

18 8.4 90.5%

17 9.10 90.5%

16 8.8 90.5%

15 3.3 88.9%

14 8.6 90.5%

13 6.7 90.0%

12 11.3 88.6%

11 12.6 89.7%

10 9.6 88.3%

9 12.2 88.1%

8 4.3 85.7%

7 9.2 87.3%

6 12.8 85.0%

5 3.1 84.4%

4 6.3 84.4%

3 12.9 88.9%

2 9.9 80.4%

1 6.6 75.0%

I.T. SERVICES20 12.10 95.5%

19 1.1 95.3%

18 3.5 95.1%

17 11.3 94.9%

16 6.2 94.8%

15 2.3 94.7%

14 12.6 94.6%

13 3.2 94.1%

12 11.2 94.0%

11 4.3 93.3%

10 10.3 93.1%

9 11.5 92.9%

8 10.2 92.6%

7 11.4 91.7%

6 10.1 89.7%

5 9.5 89.3%

4 3.4 88.1%

3 4.1 87.3%

2 4.2 87.3%

1 9.9 N/A

FINANCIAL20 11.5 93.3%

19 2.3 93.2%

18 12.2 93.1%

17 11.4 92.8%

16 2.2 92.7%

15 12.6 92.7%

14 12.8 92.3%

13 6.2 92.2%

12 3.2 91.8%

11 8.7 91.7%

10 3.5 91.1%

9 4.1 91.1%

8 4.2 91.1%

7 3.4 89.6%

6 11.2 86.4%

5 3.1 89.1%

4 6.6 88.2%

3 12.9 87.3%

2 9.9 85.9%

1 11.3 84.2%

It is mainly Control 2.3 - Encrypt non-console

administrative access

that organizations struggle with.

Over 90% of Financial Services organizations

had their

Requirement 2 controls in place during interim

validation.

In comparison, only 75.5% of retail

organizations had

Control 2.3 in place during interim validation.




RETAIL20 10.7 79.2%

19 6.2 79.3%

18 12.6 78.7%

17 6.3 79.1%

16 9.9 76.0%

15 3.5 77.5%

14 11.2 76.8%

13 12.2 76.5%

12 2.3 75.5%

11 3.4 76.3%

10 10.8 72.7%

9 3.1 71.8%

8 9.10 70.6%

7 12.7 70.6%

6 3.6 70.7%

5 3.7 70.7%

4 9.5 67.9%

3 4.1 66.7%

2 4.2 66.7%

1 6.6 60.0%


19 2.5 90.0%

18 8.4 90.5%

17 9.10 90.5%

16 8.8 90.5%

15 3.3 88.9%

14 8.6 90.5%

13 6.7 90.0%

12 11.3 88.6%

11 12.6 89.7%

10 9.6 88.3%

9 12.2 88.1%

8 4.3 85.7%

7 9.2 87.3%

6 12.8 85.0%

5 3.1 84.4%

4 6.3 84.4%

3 12.9 88.9%

2 9.9 80.4%

1 6.6 75.0%

I.T. SERVICES20 12.10 95.5%

19 1.1 95.3%

18 3.5 95.1%

17 11.3 94.9%

16 6.2 94.8%

15 2.3 94.7%

14 12.6 94.6%

13 3.2 94.1%

12 11.2 94.0%

11 4.3 93.3%

10 10.3 93.1%

9 11.5 92.9%

8 10.2 92.6%

7 11.4 91.7%

6 10.1 89.7%

5 9.5 89.3%

4 3.4 88.1%

3 4.1 87.3%

2 4.2 87.3%

1 9.9 N/A


19 2.3 93.2%

18 12.2 93.1%

17 11.4 92.8%

16 2.2 92.7%

15 12.6 92.7%

14 12.8 92.3%

13 6.2 92.2%

12 3.2 91.8%

11 8.7 91.7%

10 3.5 91.1%

9 4.1 91.1%

8 4.2 91.1%

7 3.4 89.6%

6 11.2 86.4%

5 3.1 89.1%

4 6.6 88.2%

3 12.9 87.3%

2 9.9 85.9%

1 11.3 84.2%

Requirement 11 is still a problem in the Financial

Services and I.T Services industries.

Control 11.3 Implement penetration testing is the

worst performing control in Financial Services

(84.2%).

It also scored very low the Hospitality industry

(88.6%)

Control 11.2 scored very low in the Retail

industry (only 76.8%)




RETAIL20 10.7 79.2%

19 6.2 79.3%

18 12.6 78.7%

17 6.3 79.1%

16 9.9 76.0%

15 3.5 77.5%

14 11.2 76.8%

13 12.2 76.5%

12 2.3 75.5%

11 3.4 76.3%

10 10.8 72.7%

9 3.1 71.8%

8 9.10 70.6%

7 12.7 70.6%

6 3.6 70.7%

5 3.7 70.7%

4 9.5 67.9%

3 4.1 66.7%

2 4.2 66.7%

1 6.6 60.0%


19 2.5 90.0%

18 8.4 90.5%

17 9.10 90.5%

16 8.8 90.5%

15 3.3 88.9%

14 8.6 90.5%

13 6.7 90.0%

12 11.3 88.6%

11 12.6 89.7%

10 9.6 88.3%

9 12.2 88.1%

8 4.3 85.7%

7 9.2 87.3%

6 12.8 85.0%

5 3.1 84.4%

4 6.3 84.4%

3 12.9 88.9%

2 9.9 80.4%

1 6.6 75.0%

I.T. SERVICES20 12.10 95.5%

19 1.1 95.3%

18 3.5 95.1%

17 11.3 94.9%

16 6.2 94.8%

15 2.3 94.7%

14 12.6 94.6%

13 3.2 94.1%

12 11.2 94.0%

11 4.3 93.3%

10 10.3 93.1%

9 11.5 92.9%

8 10.2 92.6%

7 11.4 91.7%

6 10.1 89.7%

5 9.5 89.3%

4 3.4 88.1%

3 4.1 87.3%

2 4.2 87.3%

1 9.9 N/A


19 2.3 93.2%

18 12.2 93.1%

17 11.4 92.8%

16 2.2 92.7%

15 12.6 92.7%

14 12.8 92.3%

13 6.2 92.2%

12 3.2 91.8%

11 8.7 91.7%

10 3.5 91.1%

9 4.1 91.1%

8 4.2 91.1%

7 3.4 89.6%

6 11.2 86.4%

5 3.1 89.1%

4 6.6 88.2%

3 12.9 87.3%

2 9.9 85.9%

1 11.3 84.2%

Requirement 12 remains problematic across

most industries.

Financial Services struggle with Control 12.9 –

service providers – which is in the bottom 3 worst

performing controls.



PCI DSS Compliance by Industry: 2016

Ranked top to bottom per DSS key requirement



Vertical Industry Top 20 In Place Controls 2016

RETAIL1 2.6 100.0%

2 12.9 100.0%

3 12.5 100.0%

4 9.3 98.0%

5 5.3 97.9%

6 7.1 97.9%

7 10.5 95.7%

8 11.5 95.7%

9 5.1 95.5%

10 4.3 95.0%

11 1.5 94.1%

12 12.4 94.1%

13 6.1 94.1%

14 9.4 93.8%

15 8.4 93.8%

16 8.8 93.8%

17 7.2 93.5%

18 10.3 92.4%

19 12.1 91.7%

20 8.2 91.5%


2 5.1 100.0%

3 5.2 100.0%

4 5.3 100.0%

5 8.7 100.0%

6 12.1 100.0%

7 10.2 100.0%

8 7.2 100.0%

9 10.3 100.0%

10 11.4 100.0%

11 2.6 100.0%

12 10.5 99.2%

13 2.1 98.7%

14 7.1 98.4%

15 9.8 97.8%

16 9.1 97.6%

17 10.6 96.6%

18 1.2 96.0%

19 2.2 95.8%

20 6.4 95.9%

I.T. SERVICES1 1.3 100.0%

2 1.5 100.0%

3 2.5 100.0%

4 2.6 100.0%

5 5.3 100.0%

6 5.4 100.0%

7 6.1 100.0%

8 6.4 100.0%

9 6.6 100.0%

10 6.7 100.0%

11 7.2 100.0%

12 7.3 100.0%

13 8.3 100.0%

14 8.4 100.0%

15 8.5 100.0%

16 8.6 100.0%

17 8.7 100.0%

18 8.8 100.0%

19 9.6 100.0%

20 9.7 100.0%


2 5.4 100.0%

3 1.5 100.0%

4 9.4 99.8%

5 9.1 99.7%

6 12.5 99.5%

7 8.4 99.5%

8 9.3 99.5%

9 7.2 99.2%

10 9.6 98.8%

11 7.1 98.7%

12 8.5 98.7%

13 8.8 98.5%

14 2.4 98.5%

15 12.3 98.5%

16 7.3 98.4%

17 9.10 98.4%

18 8.3 98.1%

19 9.2 97.9%

20 5.1 97.8%

Top 20 Most compliant

I.T Services had significantly more

controls that achieved 100%

compared to other industries.



The lifecycle of PCI DSS controls





Keep your options open.

Think of how your controls will adapt to changes in the business and/or IT environment. Resilience is key.





Make everyone aware of what they need to do.

Assign roles, define responsibilities and verify that everyone understands what’s expected of them.





Keep the ultimate goal in mind.

The point of payment security is to safeguard customer data, not just pass an assessment.



Read Verizon’s 2017 Payment Security Report to get the full picture:VerizonEnterprise.com/PaymentSecurity

Verizon Insights Podcast on iTunesPayment security and PCI compliance: What does it mean and how does it help to keep you and your

customers safe? Featuring: Mauro Lance, COO – PCI Security Standards Council and Troy Leach, CTO –

PCI Security Standards Council

Contact us:

[email protected]

http://www.verizonenterprise.com/verizon-insights-lab/payment-security/2017/

Payment security and PCI compliance: What does it mean and how does it help to keep you and your customers safe?

mailto:[email protected]



Thank you.Q&A.

Date post:	21-Jan-2018
Category:	Technology
Upload:	verizon-enterprise-solutions
View:	306 times
Download:	0 times

Webinar - Finance Services PCI Compliance: How compliant is your payment security?

Technology