"More worrying is the fact that attackers are moving on from stealing PCI data and are increasingly seeking personally identifiable information (PII)."
"You would think by now most merchants would know how to protect payment card information.
However, according to the recent Verizon 2015 PCI Compliance Report, only 20% of businesses passed their most recent PCI compliance assessments. While this is better than the 10% compliance rate cited in the 2014 report, it's important to note that of all the breaches reported by Verizon last year, "not a single company has been found to be compliant at the time of the breach," underscoring the importance of PCI DSS compliance.
The Payment Card Industry Data Security Standard demands cardholder data is protected and that strong access controls and authentication be put in place by merchants. Both of these requirements are essential to prevent a data breach, but they are also the hardest to comply with.
These challenges are predominantly met with "compensating controls" which by PCI Security Standards Council definition should "provide a similar level of defence as the original PCI DSS requirement," but are open to interpretation and as a result are often fundamentally vulnerable to attackers successfully attacking authentication and login processes to steal data.
The Verizon report identifies that compliance alone is not enough; the sheer veracity of attacks seen over the previous year is evidence that current data securities are inadequate.
Instead the report suggests that compliance "is a baseline, an industry-wide minimum acceptable standard, not the pinnacle of payment card security." Attackers are advancing their game, working around compliance controls to always be one step ahead of the security level achieved by regulation and industry standards.
Clearly, we are losing the battle against the bad guys.