2016 PCI DSS DATA BREACH TRENDS This data visualization is an overview of SecurityMetrics' Payment Card Industry Forensic Investigation results from 2016.
CONTRIBUTED TO DATA BREACH The following is a list of how noncompliance with the different PCI requirements contributed to breaches for compromised organizations in 2016: REQUIREMENT 1: Protect Your System With Firewalls
17%
Didn’t contribute 39%
REQUIREMENT 2: Use Adequate Configuration Standards
Didn’t contribute
34% 44%
Contributed Information not available
Contributed Information not available
44%
22%
REQUIREMENT 3: Secure Cardholder Data
THE AVERAGE ORGANIZATION WAS VULNERABLE* FOR 1,021 DAYS
REQUIREMENT 4: Secure Data Over Open and Public Networks
CARDHOLDER DATA WAS CAPTURED* FOR AN AVERAGE OF 163 DAYS
11%
17%
Didn’t contribute
Didn’t contribute
Information not available
Information not available
83%
CARDHOLDER DATA WAS EXFILTRATED* FOR AN AVERAGE OF 106 DAYS
89%
REQUIREMENT 5: Protect Systems with Antivirus
REQUIREMENT 6: Update Your Systems
6%
Didn’t contribute 33% 61%
22%
28%
Didn’t contribute
Contributed
Contributed
Information not available
Information not available 50%
REQUIREMENT 7: Restrict Access
11%
2016 FORENSIC TAKEAWAYS
REQUIREMENT 8: Use Unique ID Credentials
6%
11%
Didn’t contribute
Didn’t contribute
Contributed Information not available
33%
56%
39% OF ORGANIZATIONS WERE BREACHED THROUGH INSECURE REMOTE ACCESS 22% OF ORGANIZATIONS WERE BREACHED DUE TO WEAK PASSWORDS 56% OF ORGANIZATIONS HAD MEMORY-SCRAPING MALWARE INSTALLED ON THEIR SYSTEM 89% OF ORGANIZATIONS HAD FIREWALLS IN PLACE AT TIME OF COMPROMISE; 44% OF FIREWALLS DID NOT MEET PCI REQUIREMENTS
Contributed Information not available
83%
REQUIREMENT 9: Ensure Physical Security
11%
REQUIREMENT 10: Implement Logging and Log Monitoring
TERMS TO KNOW:
11%
Didn’t contribute
Didn’t contribute
28%
Contributed
Contributed
Information not available
Information not available 72%
78%
* Vulnerable – A system, environment, software, and/or website can be exploited by an attacker. * Captured – Data is being recorded, gathered, and/or stored from an unauthorized source. * Exfiltrated – Unauthorized data is transferred from a system (e.g., exporting).
REQUIREMENT 11: Conduct Vulnerability Scans and Penetration Testing
REQUIREMENT 12: Start Documentation and Risk Assessments
6%
Didn’t contribute 44% 50%
23%
33%
Didn’t contribute
Contributed
Contributed
Information not available
Information not available 44%
Disclaimer: SecurityMetrics Forensic Investigators are Qualified Security Assessors, but do not perform a complete QSA audit of each PCI requirement during a PCI forensic investigation. PCI DSS requirement data is analyzed to the extent that they observe during the course of an investigation.
QUESTIONS ABOUT PCI COMPLIANCE? Download our 2016 Guide to PCI DSS Compliance
[email protected] 801.705.5656 © 2017 SecurityMetrics