back to article Patchy PCI compliance putting consumer credit card data at risk

Nearly half of global organisations fail to comply with the security standards laid out by the Payment Cards Industry (PCI) to ensure customer payment data is protected, according to a new report. Verizon’s latest Payment Security Report (PSR) found that overall PCI compliance has increased among global businesses, with 55.4 …

  1. Snorlax Silver badge
    Thumb Down

    The report can be downloaded here

    "You must register to be a Verizon Insider to access this content. Please take a moment to register. There is no cost, and as a Verizon Insider you'll get early access to our latest reports, plus emails about other Verizon reports and solutions delivered right to your inbox.

    To become a Verizon Insider today, please complete this form:"

    I'd prefer not to register. Got another link to the report, please?

    1. Aodhhan

      Re: The report can be downloaded here

      So don't put your real information in there. Good grief.

      It's true, half the people you encounter are below average intelligence.

      1. Snorlax Silver badge
        Trollface

        Re: The report can be downloaded here

        @Aodhhan:"It's true, half the people you encounter are below average intelligence."

        Oh look, it's this a-hole Aodhhan again.

        Yes, you are below average intelligence but I'm sure your Mommy still loves you...

    2. disgustedoftunbridgewells Silver badge

      Re: The report can be downloaded here

      10minutemail.com

    3. dijital

      Re: The report can be downloaded here

      Also:

      http://www.verizonenterprise.com/verizon-insights-lab/payment-security/2017/reports/2017_payment_security_report_en_xg.pdf

  2. Anonymous Coward
    Anonymous Coward

    Not a surprise

    PCI:DSS documents are not very clear and rather ambigious. Take SAQ-CVT as an example..you'd think that's for people who use virtual terminals to take payment and you'd be right..however unless the PC(s) with the virtual terminal(s) is/are on a separate LAN and separate Internet connection you'd actually in scope for SAQ-D for your whole network...how do you expect someome to cut and paste the order number??

    Many PCI:DSS helpdesk staff at merchant account providers are lacking in basic knowledge...on more than one occasion I've been told card data can be transmitted unencrypted across the public Internet!

    The rules need to be made simple and clear and not driven by the red tape momgers who seem clueless about even well run networks. You can easily get ISO27001 and still fail PCI:DSS despite being secure.

    1. wyatt

      Re: Not a surprise

      I tried for weeks to get information out of World Pay to assist in becoming compliant, they had no idea how to source the information I needed. They still insisted I completed SAQ B-IP when the terminal I was using put me in scope for SAQ P2PE-HW.

      They also charge you £30 per year to register your compliance with them, about £10 per month if you don't bother doing a SAQ and uploading it to them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not a surprise

        Yep banks are supposed to accredit you but have no idea what they are doing for the most part.

        Everyone is out to sell 'consultancy' around this.

        The standards are ambiguous yet inflexible and take no account of the different sorts of business that might take card payments. All based on 27k but just different enough to conflict with other 27k based standards

        It's almost like it's an exercise in moving blame from banks to merchants and generating revenue through fines and consultancy. But I'd never insinuate that.

  3. Anonymous Coward
    Anonymous Coward

    No impact on security...

    If only there was some correlation on being PCI-DSS compliant and actually being secure....at least it forces you to patch.

    1. Lyndon Hills 1

      Re: No impact on security...

      If only there was some correlation on being PCI-DSS compliant and actually being secure....at least it forces you to patch.

      It also forces you to think, for instance about your network architecture. Apparently there are rules covering taking payments by phone, and using an ip-based phone system, along with networked computers, which wouldn't have occured to me. Mind you this isn't my job area.

      1. Anonymous Coward
        Anonymous Coward

        Re: No impact on security...

        There aren't any rules on taking payments via an IP based phone system. There is a badly written guidance document by someone at Barclaycard that was rebranded to PCI and an FAQ from their salesforce type site that adds to the ambiguity.

        Talk to three QSAs and you'll get three different borders for the cardholder data environment using VoIP phones. Heck my best was being told that there was no need to encrypt VoIP calls over the public internet beacuse normal phone calls are not encrypted....which if it's carried on BT IP services you could argue is correcy as Telcos are technically outside PCI for some odd reason.

        It's time someone with realworld busiess experience got hold of them and started the PCI:DSS stuff from scratch...it's not fit for purpose...just look at the large corporate breaches...if multi-billion dollar organisations can't get it right, what chance is there for the rest.

        1. Anonymous Coward
          Anonymous Coward

          Re: No impact on security...

          "Talk to three QSAs and you'll get three different borders for the cardholder data environment using VoIP phones. Heck my best was being told that there was no need to encrypt VoIP calls over the public internet beacuse normal phone calls are not encrypted....which if it's carried on BT IP services you could argue is correcy as Telcos are technically outside PCI for some odd reason".

          You get the same thing with network segregation, and $DEITY help you if you're running Skype for Business because Microsoft don't want to be a telco even if they do offer PSTN connectivity.

          QSAs get pretty much the same basic training as ISAs, but QSAs have additional licencing and CPE requirements. I've done the ISA and I still feel like a rookie cop working solo on a murder case - how the hell do QSAs cope?

  4. Cuddles Silver badge

    But does it actually help?

    "By failing to comply with the PCI Data Security Standard (DSS), organisations are putting consumers at increased risk of payment fraud, Verizon warns."

    It would be interesting to see the proportions of those who do and don't comply that actually suffer data breaches. Given the example in the article, I'd be surprised if there was a significant difference:

    "In one recorded example, a hotel was found to be storing almost a decade’s worth of receipts containing full, unmasked card numbers next to its laundry room."

    This appears to be referring to paper receipts, of the kind that can't be stolen from a networked computer and would take far too long to sort through to make stealing them worthwhile even if someone actually managed to break in and find them. Storing them for so long in an insecure manner may not be the best idea, but how does this compare to, to throw out a random example, Verizon putting 6 million customer records on an unsecured cloud server? https://www.theverge.com/2017/7/12/15962520/verizon-nice-systems-data-breach-exposes-millions-customer-records

    1. dnicholas Bronze badge

      Re: But does it actually help?

      Version, report to the burn unit immediately

    2. Anonymous Coward
      Anonymous Coward

      Re: But does it actually help?

      You have to store the PAN masked from general users and control access according to PCI.

      Base question would be why are their card machines able to print the PAN's on receipts in the first place.

      For comedy can anyone find a decent verizon PCI breach?

  5. Nimby
    Joke

    Patchy PCI compliance putting consumer credit card data at risk

    I tried feeding my credit card into my legacy PCI port, but it won't read from the chip. What software do I need, and is that how I enter my PIN? Do I need to flash my BIOS to support my credit card? Plz help!!!1 I just want to make sure that my credit card data is secure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020