PCI Special Interest Group offers guidance for securing payment card data in cloud environments —

WAKEFIELD, Mass., February 07, 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG). Businesses deploying cloud technology can use this resource as a guide for choosing solutions and third-party cloud providers that will help them secure their customer payment data and support PCI DSS compliance.

PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
PCI Participating Organizations selected cloud computing as a key area to address via the SIG process. More than 100 global organizations representing banks, merchants, security assessors and technology vendors collaborated on this guidance designed to help companies identify and address the security challenges for different cloud architectures and models, and understand their PCI DSS responsibilities when implementing these solutions.

“One of cloud computing’s biggest strengths is its shared-responsibility model. However, this shared model can magnify the difficulties of architecting a secure computing environment,” said Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage. “One of this supplement’s greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer. With PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud.” The PCI DSS Cloud Computing Guidelines Information Supplement builds on the work of the 2011 Virtualization SIG, while leveraging other industry standards to provide guidance around the following primary areas and objectives:

• Cloud Overview – provides explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types.
• Cloud Provider/Cloud Customer Relationships– outlines different roles and responsibilities across the different cloud models and guidance on how to determine and document these responsibilities.
• PCI DSS Considerations – provides guidance and examples to help determine responsibilities for individual PCI DSS requirements, and includes segmentation and scoping considerations.
• PCI DSS Compliance Challenges- describes some of the challenges associated with validating PCI DSS compliance in a cloud environment.
• Additional Security Considerations – explores a number of business and technical security considerations for the use of cloud technologies.

The document also includes a number of appendices to address specific PCI DSS requirements and implementation scenarios, including: additional considerations to help determine PCI DSS responsibilities across different cloud service models; sample system inventory for cloud computing environments; sample matrix for documenting how PCI DSS responsibilities are assigned between cloud provider and client; and a starting set of questions that can help in determining how PCI DSS requirements can be met in a particular cloud environment.
The information supplement can be downloaded from the documents library on the PCI SSC website athttps://www.pcisecuritystandards.org/security_standards/documents.php. Download cloud computing guidelines document here.
Merchants who use or are considering use of cloud technologies in their cardholder data environment and any third-party service providers that provide cloud services or cloud products for merchants can benefit from this guidance. This document may also be of value for assessors reviewing cloud environments as part of a PCI DSS assessment.

As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
“At the Council, we always talk about payment security as a shared responsibility. And cloud is by nature shared, which means that it’s increasingly important for all parties involved to understand their responsibility when it comes to protecting this data,” said Bob Russo, general manager, PCI Security Standards Council. “It’s great to see this guidance come to fruition, and we’re excited to get it into the hands of merchants and other organizations looking to take advantage of cloud technology in a secure manner.”

Those interested in learning more about this guidance and how to use it are invited to join the PCI Council for a webinar on February 7 and 14, 2013. Visit the PCI SSC website for more information and to register: https://www.pcisecuritystandards.org/training/webinars.php.

About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has over 600 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security- standards-council Join the conversation on Twitter: http://twitter.com/#!/PCISSC

— PCI Special Interest Group offers guidance to merchants to help secure payments accepted over the Internet—

WAKEFIELD, Mass., January 31, 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS E-commerce Guidelines Information Supplement, a product of the E-commerce Security Special Interest Group (SIG). Businesses selling goods and services over the Internet can use this resource as a guide for choosing e-commerce technologies and third-party service providers that will help them secure customer payment data and support PCI DSS compliance efforts.
PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
In 2012, PCI Participating Organizations selected e-commerce security as a key area to address via the SIG process. More than 60 global organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS scope.
“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”
The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e- commerce security and guidance around the following primary areas and objectives:

•  E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
• Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
• Recommendations – provides merchants with best practices to secure their e- commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

•  PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
• Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e- commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

The information supplement can be downloaded from the documents library on the PCI SSC website at https://www.pcisecuritystandards.org/security_standards/documents.php.
Merchants who use or are considering use of e-commerce technologies in their cardholder data environment, and any third-party service providers that provide e-commerce services, e- commerce products, or hosting/cloud services for merchants can benefit from this guidance. This document may also be of value for assessors reviewing e-commerce environments as part of a PCI DSS assessment.
As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
“E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.”
Those interested in learning more about this guidance and how to use it are invited to join the PCI Council for a webinar on February 7 and 14, 2013. Visit the PCI SSC website for more information and to register: https://www.pcisecuritystandards.org/training/webinars.php.
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has over 600 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security- standards-council Join the conversation on Twitter: http://twitter.com/#!/PCISSC

Highlights from the  Global Payments quarterly report  released January 8 2013, reveals that costs related to the 2012 data breach have reached 93.9 million and additional material costs will be incurred in 2013.  The company is still working on PCI DSS certification. The company has not yet been put back on the list of PCI DSS compliant service providers, however, the impact on revenue has been “immaterial”. 

“As a result of this event, certain card networks removed us from their list of PCI DSS compliant service providers. Our removal from certain networks’ lists of PCI DSS compliant service providers could mean that certain existing customers and other third parties may cease using, referring or selling our products and services. Also, prospective customers and other third parties may choose to delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. To date, the impact on revenue that we can confirm related to our removal from the lists has been immaterial. Also the impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial.    We continue to process transactions worldwide through all of the card networks. We hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI DSS compliance of our systems. Our work to remediate our systems and processes is substantially complete. Our QSA is currently evaluating our remediation work. Once the QSA’s evaluation is complete we will work closely with the networks to return to the list of PCI DSS compliant service providers as quickly as possible. Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows.”

In addition to the credit card data breach, the “investigation also revealed potential unauthorized access to servers containing personal information collected from merchants who applied for processing services.” Merchant account applications contain sensitive information for identity theft thieves, including business owner social security numbers and home addresses.

Another potential financial blow is the class action suit related to the ‘intrusion’, as Global Payments has identified the breach. “We have not recorded a loss accrual related to this matter because we have not determined that a loss is probable.”

Tokenization is the process of replacing sensitive data with a meaningless number. There is no universal standard for tokenization in payments. The key principal is that no part of the token has any relation to the credit card or check data.  The tokens themselves are useless outside of the system for which they are designed to be used. Tokens can be created for one time use or stored for recurring.

Encryption is the conversion of data into a form that cannot be easily read by others. That which is encrypted can be decrypted.

Payment card industry data security standards (PCI DSS) do not allow credit card numbers to be stored on a retailer’s point-of-sale (POS) terminal or in its databases after a transaction, with very rare exception.  If you store card data on your servers, regardless of access limitations, you’ll have a hard time proving your company was PCI Compliant in the event of a data breach. The financial liability, and potential criminal liability, is substantial.

If PAN data (primary account/ credit card number ) is encrypted, it’s still within the merchant scope for PCI because it can be decrypted. The exception is if the merchant is using a third party that is using PCI Compliant strong encryption, and there is no ability for the merchant to decrypt the data and get back PAN’s. *

Tokenization helps merchants reduce the scope for PCI DSS compliance whenever credit card data is stored, because the merchant cannot reverse engineer to access the PAN data. Encryption can be used by the third party to protect the data in the token vault. It is not required by PCI.  When a merchant uses a token to process a transaction, the associated payment information in the vault is delivered to the processor. How and in what format? The logical and physical elements vary by provider and specific controls are secret for security reasons, but it’s a fair question to ask when considering a new provider.

The CenPOS payment platform uses both tokenization and encryption for maximum reduction of PCI scope for merchants, and for data security throughout the payment cycle. It provides the most flexibility for merchants, because they can change processors with no disruption to their business.

*Refer to PCI guidelines for further details. Official PCI Security Standards Council Site

Is it any surprise that actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments by Verizon’s team of Qualified Security Assessors (QSAs) shows growth of compliance is stagnant? Even worse, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients? About 20 percent of organizations passed less than half of the DSS requirements, while 60 percent scored above the 80 percent mark. For all those merchants sounding off about an annual PCI Compliance Fee, the evidence is clear that merchants still have a long ways to go. 100% PCI DSS compliance is the only acceptable statistic.

Organizations struggled most with the following PCI requirements:

• 3 (protect stored cardholder data)
• 10 (track and monitor access)
• 11 (regularly test systems and processes)
• 12 (maintain security policies)

The first two of these can easily be resolved with our hosted payment processing technology, CenPOS. If you’re going to store cardholder data, it needs to be encrypted. One of the major problems with this has been ready access to solutions for storing cardholder data for variable billing. Most gateways have a PCI Compliant solution to store encrypted card data for recurring billing,  charging the same amount on a fixed schedule. However, CenPOS is unique to offer storing card data for billing a variable amount, token billing. Additionally, it is the only technology this writer is aware of that also includes interchange optimization, of major importance to companies trying to control credit card processing fees.

Tokens are issed for stored card data, worthless if stolen.

Requirement 10 (Tracking and Monitoring) is a major component of CenPOS. Every user has a unique login and management can micro manage permissions. Where others create a few tiered levels of permission such as cashier, finance, and administrator, CenPOS offers a plethora of options, plus management tracking and research tools.

• User Permissions: Control precise transaction types allowed, set maximum thresholds, set alerts based on responses, amounts and other criteria. Extensive Permissions enable maximum merchant protection from lower level employees, plus there are tools for secondary oversight at the admin level to mitigate risk of high level employee fraud.
• Tracking and Monitoring: The requirement calls for the tracking and monitoring of all access to network resources and cardholder data, the main objective is to maintain system logs and have procedures that ensure proper utilization, protection, and retention. According to the Verizon Report, this has historically been one of the most challenging, but is critical to forensic investigations if needed. CenPOS logs everything related to the payments process including user ID, time stamps and every other element of interaction with the system. Merchants must have their own internal logging system for their network.

Requirement 11 (Regular Testing) had the least compliance in the Verizon report. “Organizations continue to have difficulty meeting the sub-requirements regarding network vulnerability scanning (11.2), penetration testing (11.3), and file integrity monitoring (11.5).”  Our recommendation is that merchants hire a qualified outside vendor to assist them with this requirement. We have no direct affiliation with such companies but know several with good reputations should you need a resource.

Requirement 12 (Security Policies) While the best laid written plans may exist, there is still the human factor. Weaknesses identified include poorly written policies, including so long that they are stuffed in a desk never to be read again, and those that are too vague. Note that the requirements are directly related to the services in scope of the organization’s PCI DSS. The more the merchant reduces their scope, the more the burden is on their service provider instead of their internal personnel. CenPOS reduces the merchant scope in several ways, including but not limited to:

• Web payments on a hosted pay page, not the merchants web page
• Electronic Bill Presentment and Payment- same as above.
• Storing all card data, encrypted, on CenPOS servers, eliminating file drawer and merchant stored data

Verizon 2011 PAYMENT CARD INDUSTRY COMPLIANCE REPORT (PDF) download

Learn more about how CenPOS can help you with PCI DSS Compliance.

Does your company record calls for quality assurance or other purposes? The PCI Security Standards Council has issued supplemental guidelines “Protecting Telephone-based Payment Card Data” for you to maintain PCI DSS ( Payment Card Industry Data Security Standards) compliance. The intent is to provide supplemental guidance, and does not replace or supersede PCI DSS requirements.
Why Telephone Card Payment Security is Important
In face-to-face and e-commerce environments, risk-mitigating technologies have helped significantly reduce fraud rates, resulting in a shift of card fraud towards the Mail Order / Telephone Order (MOTO) space. Additionally, a number of regulatory bodies are requiring some companies to record and store telephone conversations in a range of situations. The Payment Card Industry Data Security Standard (PCI DSS), however, stipulates that the three-digit or four-digit card verification code or value printed on the card (CVV2, CVC2, CID, or CAV2) cannot be retained after authorization, and full primary account numbers (PANs) cannot be kept without further protection measures.

As such, there is a risk that organizations taking customer payment card details over the telephone may be recording the full cardholder details to comply with various regulatory bodies, thereby causing them to be in contravention of PCI DSS requirements and potentially exposing cardholder data to unnecessary risk.

Recap: The PCI SSC FAQ
PCI SSC FAQ 5362 – Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?
This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).
It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.
It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.
Where technology exists to prevent recording of these data elements, such technology should be enabled. If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.

August 2011 chart from PCI Security Standards

Note: Encrypting sensitive authentication data is not by itself sufficient to render the data non-queriable.
For data to be considered “non-queriable” it must not be feasible for general users of the system or malicious users that gain access to the system to retrieve or access the data. Access to the types of functions listed above must be extremely limited, explicitly authorized, documented, and actively monitored. Additionally, controls must be in place to prevent unauthorized access to these functions.
Other methods that may help to render SAD non-queriable include but are not limited to: a. Removing call recordings from the call recording solution b.    Taking the call recordings offline c.    Vaulting the call recordings d.    Enforcing dual access controls to the vaulted call recordings e.    Allowing only single call recordings to be retrieved from vaults

Before considering this option, every possible effort must first be made to eliminate sensitive authentication data. In general, no cardholder data should ever be stored unless it is necessary to meet the needs of the business. There must be a documented, legitimate reason why sensitive authentication data cannot be eliminated (for example, a legislative or regulatory obligation), and a comprehensive risk assessment performed at least annually. The detailed justification and risk assessment results must be made available to the acquiring bank and/or payment card brand as applicable. This option is a last resort only, and the desired outcome is always the elimination of all sensitive authentication data after authorization.    If technologies are available to fulfil PCI DSS requirements without contravening government laws and regulations, these technologies should be used.

The PCI Security Standards Council (PCI SSC) is not responsible for enforcing compliance or determining whether a particular implementation is compliant. It is the primary recommended source for all merchants to obtain current PCI DSS information.

Download the complete report here
PCI Data Security Standard (PCI DSS) Protecting Telephone-based Payment Card Data

In this first article of a series we explore insider theft, related to data breaches,  based on key elements of the Verizon 2011 data breach report.  The number of 2010 data breaches exploded in companies with 11 to 100 employees. A key commonality is simply the opportunity was there.

The 2011 Data Breach Investigations Report (DBIR) is a study conducted by the Verizon RISK team in cooperation with the U.S. Secret Service and the Dutch High Tech Crime Unit.

Who is behind the data breaches?

• 92% external agents
• 17% implicated insiders
• < 1% business partners
• 9% involved multiple parties

How do breaches occur? ?

• 50% involved some sort of hacking
• 49% incorporated malware
• 29% physical attacks
• 17% from privilege misuse
• 11% employe social tactics

What commonalities exist?

• 83% were victims of opportunity
• 92% were not difficult
• 76% of all data was compromised from servers
• 86% discovered by a third party
• 96% were avoidable through simple or intermediate controls
• 89% of victims subject to PCI-DSS had not achieved compliance

End of excerpt. Continue reading for blog author comments.

A healthcare company stores credit card data on servers, unencrpyted. Their excuse? It’s not connected to the actual credit card processing and access is restricted so it’s not a PCI Compliance problem.  See related article Shocking lack of payment processing security in healthcare industry. No data breach yet, but statistically, the company is at great financial risk, including up to  $1.5 million fine for violating the HITECH ACT.

Employees at a car dealer tape passwords next to their computer and in the first unlocked drawer of their desk. Their excuse?  It’s too hard to remember the password and they don’t acknowledge it’s a security issue.

Employees at a retail rental shop have a file folder in plain view of anyone entering the shop containing copies of drivers licenses and the front and back of credit cards. Their excuse? They didn’t know they couldn’t do it and didn’t know of an alternative method that would meet their needs to bill customers if they never returned with the goods.

Think these are exceptions? Businesses everywhere have these problems in some fashion. As each of these examples illustrate,  employee training is essential. Industry wide, merchants are completing  PCI Compliance Security Standards data worksheets. At that point in time, the merchant can be certified PCI Compliant. But without internal enforcement and training, the merchant is generally not compliant when a data breach occurs and thus is fully liable for all the associated fines, fees and damages.

In conclusion, the establishment of training procedures and distribution of data security expectations to employees is essential. Most employees are honest, right? But when companies have lax security policies, it presents an OPPORTUNITY for good employees to break the law.

Here’s three things you can do to mitigate internal employee risk:

1. Create a data security training checklist for all employees handling sensitive data. Update the training and content quarterly or at least once per year. The employee cannot accept credit cards or any sensitive data until they’ve completed training, plus sign and date the checklist.
2. Make data security a formal part of employee performance reviews. Require annual checklist review and signature at the time of performance reviews.
3. Implement a reward system for identifying vulnerabilities of real life practices- whether people, software, or hardware.

Bonus: Implement a hosted payment processing solution with extensive tools to prevent internal fraud. Call for information.

Cyber Criminals Shifting to Smaller, More Opportunistic Attacks; External Attacks, Especially Hacking, on Rise

April 19, 2011

NEW YORK – Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the “Verizon 2011 Data Breach Investigations Report.” These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices.

The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008. Yet this year’s report covers approximately 760 data breaches, the largest caseload to date.

According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action.

The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.

Hacking (50 percent) and malware (49 percent) were the most prominent types of attack, with many of those attacks involving weak or stolen credentials and passwords. For the first time, physical attacks — such as compromising ATMs –appeared as one of the three most common ways to steal information, and constituted 29 percent of all cases investigated.

For the second year in a row, the U.S. Secret Service collaborated with Verizon in preparing the report. In addition, the National High Tech Crime Unit of the Netherlands Policy Agency (KLPD) joined the team this year, allowing Verizon to provide more insight into cases originating in Europe. Approximately one-third of Verizon’s cases originated in either Europe or the Asia-Pacific region, reflecting the global nature of data breaches.

“Through our Data Breach Investigations Report series, Verizon continues to provide the industry with a first-hand look at cybercrime around the globe,” said Peter Tippett, Verizon’s vice president of security and industry solutions. “This year, we witnessed highly automated and prolific external attacks, low and slow attacks, intricate internal fraud rings, countrywide device-tampering schemes, cunning social engineering plots and more. And yet, at the end of day, we found once again that the vast majority of breaches can be avoided without extremely difficult, expensive security measures.”

Tippett added: “It is important to remember that data breaches can happen to any business — regardless of size or industry — or consumer, at any place in the world. A good offense remains the best defense. It is imperative to implement essential security measures broadly throughout your security infrastructure, whether that is a small home setup or an expansive enterprise infrastructure.”

U.S. Secret Service Assistant Director A.T. Smith said, “Americans over the past several years have seen the significant impacts data breaches are having on our nation’s financial infrastructure. Today cyber criminals are operating in nearly every civilized nation in the world, exposing Americans’ personal information, either stored or transmitted, to substantial risk.”

Smith added, “By participating in the Verizon 2011 Data Breach Investigations Report, the Secret Service is working closely with our private-sector partners to educate Americans about the threats of cyber criminals. With the help of our Electronic Crimes Task Force partners, such as Verizon, we are studying technologies and trends to prevent and mitigate attacks against critical financial infrastructure.”

The Data Breach Investigation Report (DBIR) series now spans seven years and more than 1,700 breaches involving more than 900 million compromised records, making it the most comprehensive study of its kind.

(NOTE: Additional resources supporting the 2011 Data Breach Investigations Report are available, including high-resolution charts and an audio podcast. B-roll available upon request.)

Key Findings of the 2011 Report

Data from the 2011 report shows that:

• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.
• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Recommendations for Enterprises

The 2011 report found again that the prescription for data breaches is to use simple, essential security practices such as:

• Focus on essential controls. Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others. Businesses are much better protected if they implement essential controls across the entire organization without exception.
• Eliminate unnecessary data. If you do not need it, do not keep it. For data that must be kept, identify, monitor and securely store it.
• Secure remote access services. Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network.
• Audit user accounts and monitor users with privileged identity. The best approach is to trust users but monitor them through pre-employment screening, limiting user privileges and using separation of duties. Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.
• Monitor and mine event logs. Focus on the obvious issues that logs pick up, not the minutia. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.
• Be aware of physical security assets. Pay close attention to payment card input devices, such as ATMs and gas pumps, for tampering and manipulation.

A complete copy of the “Data Breach Investigations Report” is available for download.

About Verizon
Verizon Communications Inc. (NYSE, NASDAQ:VZ), headquartered in New York, is a global leader in delivering broadband and other wireless and wireline communications services to mass market, business, government and wholesale customers. Verizon Wireless operates America’s most reliable wireless network, serving 94.1 million customers nationwide. Verizon also provides converged communications, information and entertainment services over America’s most advanced fiber-optic network, and delivers innovative, seamless business solutions to customers around the world. A Dow 30 company, Verizon employs a diverse workforce of more than 194,000 and last year generated consolidated revenues of $106.6 billion. For more information, visit www.verizon.com.