PCI DSS Requirements Implemented at the Time of Compromise
The following graphs demonstrate the compliance of compromised businesses we investigated noting whether each requirement at the time of compromise in 2020 was in place or not:
REQUIREMENT 1: Protect Your System With Firewalls
In place 63%
Not in place 0%
Unknown 37%
REQUIREMENT 2: Use Adequate Configuration Standards
In place 63%
Not in place 37%
Unknown 0%
REQUIREMENT 3: Secure Cardholder Data
In place 63%
Not in place 37%
Unknown 0%
REQUIREMENT 4: Secure Data Over Open and Public Networks
In place 100%
Not in place 0%
Unknown 0%
REQUIREMENT 5: Protect Systems with Antivirus
In place 51%
Not in place 49%
Unknown 0%
REQUIREMENT 6: Update Your Systems
In place 25%
Not in place 50%
Unknown 25%
REQUIREMENT 7: Restrict Access
In place 100%
Not in place 0%
Unknown 0%
REQUIREMENT 8: Use Unique ID Credentials
In place 87%
Not in place 13%
Unknown 0%
REQUIREMENT 9: Ensure Physical Security
In place 100%
Not in place 0%
Unknown 0%
REQUIREMENT 10: Implement Logging and Log Monitoring
In place 49%
Not in place 51%
Unknown 0%
REQUIREMENT 11: Conduct Vulnerability Scans and Penetration Testing
In place 25%
Not in place 75%
Unknown 0%
REQUIREMENT 12: Start Documentation and Risk Assessments
In place 0%
Not in place 86%
Unknown 14%
Non-compliance Contributed to Data Breach
The following is a list of how noncompliance with the different PCI requirements affected breaches for compromised organizations in 2020:
REQUIREMENT 1: Protect Your System With Firewalls
Contributed 0%
Didn’t Contribute 62%
Unknown 38%
REQUIREMENT 2: Use Adequate Configuration Standards
Contributed 0%
Didn’t contribute 62%
Unknown 38%
REQUIREMENT 3: Secure Cardholder Data
Contributed 25%
Didn’t contribute 62%
Unknown 13%
REQUIREMENT 4: Secure Data Over Open and Public Networks
Contributed 0%
Didn’t contribute 100%
Unknown 0%
REQUIREMENT 5: Protect Systems with Antivirus
Contributed 38%
Didn’t contribute 37%
Unknown 25%
REQUIREMENT 6: Update Your Systems
Contributed 38%
Didn’t contribute 12%
Unknown 50%
REQUIREMENT 7: Restrict Access
Contributed 0%
Didn’t contribute 100%
Unknown 0%
REQUIREMENT 8: Use Unique ID Credentials
Contributed 13%
Didn’t contribute 87%
Unknown 0%
REQUIREMENT 9: Ensure Physical Security
Contributed 0%
Didn’t contribute 100%
Unknown: 0%
REQUIREMENT 10: Implement Logging and Log Monitoring
Contributed 51%
Didn’t contribute 49%
Unknown: 0%
REQUIREMENT 11: Conduct Vulnerability Scans and Penetration Testing
Contributed 62%
Didn’t contribute 25%
Unknown 13%
REQUIREMENT 12: Start Documentation and Risk Assessments
Contributed 38%
Didn’t contribute 12%
Unknown 50%
2020 FORENSIC TAKEAWAYS
The average organization was vulnerable* for 1321 days
Cardholder data was captured* for an average of 589 days
Cardholder data was exfiltrated* for an average of 589 days
89% of organizations were breached through remote execution/injection
6% of organizations were breached through malvertising.
5% of organizations were breached through ransomware.
92% of organizations had some firewalls in place at time of compromise.
TERMS TO KNOW
Vulnerable: A state in which a weakness in a system, environment, software, or website could be exploited by an attacker.
Captured: The time that data is being recorded, gathered, or stored from an unauthorized source.
Exfiltrated: The unauthorized transfer of data from a system.
2020 PCI DSS Data Breach Analysis
SecurityMetrics Forensic Investigation Results from 2019
PCI DSS Requirements Implemented at the Time of Compromise
The following graphs demonstrate the compliance of compromised businesses we investigated noting whether each requirement at the time of compromise in 2019 was in place or not:
REQUIREMENT 1: Protect Your System With Firewalls
In place 33%
Not in place 67%
Unknown 0%
REQUIREMENT 2: Use Adequate Configuration Standards
In place 83%
Not in place 17%
Unknown 0%
REQUIREMENT 3: Secure Cardholder Data
In place 100%
Not in place 0%
Unknown 0%
REQUIREMENT 4: Secure Data Over Open and Public Networks
In place 83%
Not in place 0%
Unknown 17%
REQUIREMENT 5: Protect Systems with Antivirus
In place 17%
Not in place 83%
Unknown 0%
REQUIREMENT 6: Update Your Systems
In place 17%
Not in place 83%
Unknown 0%
REQUIREMENT 7: Restrict Access
In place 83%
Not in place 17%
Unknown 0%
REQUIREMENT 8: Use Unique ID Credentials
In place 33%
Not in place 67%
Unknown 0%
REQUIREMENT 9: Ensure Physical Security
In place 100%
Not in place 0%
Unknown 0%
REQUIREMENT 10: Implement Logging and Log Monitoring
In place 17%
Not in place 83%
Unknown 0%
REQUIREMENT 11: Conduct Vulnerability Scans and Penetration Testing
In place 17%
Not in place 83%
Unknown 0%
REQUIREMENT 12: Start Documentation and Risk Assessments
In place 0%
Not in place 17%
Unknown 83%
Non-compliance Contributed to Data Breach
The following is a list of how noncompliance with the different PCI requirements affected breaches for compromised organizations in 2019:
REQUIREMENT 1: Protect Your System With Firewalls
Contributed 66%
Didn’t Contribute 34%
Unknown 0%
REQUIREMENT 2: Use Adequate Configuration Standards
Contributed 17%
Didn’t contribute 83%
Unknown 0%
REQUIREMENT 3: Secure Cardholder Data
Contributed 0%
Didn’t contribute 100%
Unknown 0%
REQUIREMENT 4: Secure Data Over Open and Public Networks
Contributed 17%
Didn’t contribute 83%
Unknown 0%
REQUIREMENT 5: Protect Systems with Antivirus
Contributed 33%
Didn’t contribute 50%
Unknown 17%
REQUIREMENT 6: Update Your Systems
Contributed 33%
Didn’t contribute 50%
Unknown 17%
REQUIREMENT 7: Restrict Access
Contributed 17%
Didn’t contribute 83%
Unknown 0%
REQUIREMENT 8: Use Unique ID Credentials
Contributed 60%
Didn’t contribute 40%
Unknown 0%
REQUIREMENT 9: Ensure Physical Security
Contributed 0%
Didn’t contribute 100%
Unknown: 0%
REQUIREMENT 10: Implement Logging and Log Monitoring
Contributed 0%
Didn’t contribute 100%
Unknown: 0%
REQUIREMENT 11: Conduct Vulnerability Scans and Penetration Testing
Contributed 66%
Didn’t contribute 34%
Unknown 0%
REQUIREMENT 12: Start Documentation and Risk Assessments
Contributed 17%
Didn’t contribute 17%
Unknown 66%
2019 FORENSIC TAKEAWAYS
The average organization was vulnerable* for 699 days
Cardholder data was captured* for an average of 532 days
Cardholder data was exfiltrated* for an average of 532 days
66% of organizations were breached through remote execution/injection
17% of organizations were breached through e-skimming.
17% of organizations were breached through malvertising.
83% of organizations had some firewalls in place at time of compromise.
TERMS TO KNOW
Vulnerable: A state in which a weakness in a system, environment, software, or website could be exploited by an attacker.
Captured: The time that data is being recorded, gathered, or stored from an unauthorized source.
Exfiltrated: The unauthorized transfer of data from a system.
SecurityMetrics Forensic Investigators have witnessed the rise and fall of popular attack trends over 16 consecutive years.
Comparing 2018 forensic trends to previous years, SecurityMetrics’ Forensic Investigators conducted more forensic e-commerce investigations than point-of-sale (POS) environments. For example, in 2018, approximately 80% of payment-card-related investigations were of e-commerce breaches compared to 2017 where only 33% of investigations were e-commerce breaches.
The following data visualization is an analysis of SecurityMetrics’ Payment Card Industry Forensic Investigation results from 2018:
PCI DSS Requirements Implemented at the Time of Compromise
The following graphs demonstrate the compliance of compromised businesses we investigated noting whether each requirement at the time of compromise in 2018 was in place or not:
REQUIREMENT 1: Protect Your System With Firewalls
In place 75%
Not in place 25%
Unknown 0%
REQUIREMENT 2: Use Adequate Configuration Standards
In place 90%
Not in place 10%
Unknown 0%
REQUIREMENT 3: Secure Cardholder Data
In place 39%
Not in place 61%
Unknown 0%
REQUIREMENT 4: Secure Data Over Open and Public Networks
In place 82%
Not in place 0%
Unknown 18%
REQUIREMENT 5: Protect Systems with Antivirus
In place 37%
Not in place 63%
Unknown 0%
REQUIREMENT 6: Update Your Systems
In place 35%
Not in place 65%
Unknown 0%
REQUIREMENT 7: Restrict Access
In place 82%
Not in place 18 %
Unknown 0%
REQUIREMENT 8: Use Unique ID Credentials
In place 64%
Not in place 36%
Unknown 0%
REQUIREMENT 9: Ensure Physical Security
In place 67%
Not in place 33%
Unknown 0%
REQUIREMENT 10: Implement Logging and Log Monitoring
In place 33%
Not in place 67%
Unknown 0%
REQUIREMENT 11: Conduct Vulnerability Scans and Penetration Testing
In place 27%
Not in place 73%
Unknown 0%
REQUIREMENT 12: Start Documentation and Risk Assessments
In place 20%
Not in place 80%
Unknown 0%
Non-compliance Contributed to Data Breach
The following is a list of how noncompliance with the different PCI requirements affected breaches for compromised organizations in 2018:
REQUIREMENT 1: Protect Your System With Firewalls
Contributed 22%
Didn’t Contribute 78%
Unknown 0%
REQUIREMENT 2: Use Adequate Configuration Standards
Contributed 0%
Didn’t contribute 78%
Unknown 22%
REQUIREMENT 3: Secure Cardholder Data
Contributed 0%
Didn’t contribute 60%
Unknown 40%
REQUIREMENT 4: Secure Data Over Open and Public Networks
Contributed 0%
Didn’t contribute 82%
Unknown 18%
REQUIREMENT 5: Protect Systems with Antivirus
Contributed 62%
Didn’t contribute 38%
Unknown 0%
REQUIREMENT 6: Update Your Systems
Contributed 43%
Didn’t contribute 57%
Unknown 0%
REQUIREMENT 7: Restrict Access
Contributed 0%
Didn’t contribute 80%
Unknown 20%
REQUIREMENT 8: Use Unique ID Credentials
Contributed 23%
Didn’t contribute 77%
Unknown 0%
REQUIREMENT 9: Ensure Physical Security
Contributed 18%
Didn’t contribute 82%
Unknown 0%
REQUIREMENT 10: Implement Logging and Log Monitoring
Contributed 65%
Didn’t contribute 35%
Unknown 0%
REQUIREMENT 11: Conduct Vulnerability Scans and Penetration Testing
Contributed 67%
Didn’t contribute 33%
Unknown 0%
REQUIREMENT 12: Start Documentation and Risk Assessments
Contributed 70%
Didn’t contribute 30%
Unknown 0%
2018 FORENSIC TAKEAWAYS
The average organization was vulnerable* for 275 days
Cardholder data was captured* for an average of 127 days
Cardholder data was exfiltrated* for an average of 127 days
50% of organizations were breached through remote execution/injection
33% of organizations were breached internally (i.e., employee assisted).
17% of organizations were breached through phishing emails.
57% of organizations had firewalls in place at time of compromise.
TERMS TO KNOW
Vulnerable: A state in which a weakness in a system, environment, software, or website could be exploited by an attacker.
Captured: The time that data is being recorded, gathered, or stored from an unauthorized source.
Exfiltrated: The unauthorized transfer of data from a system.
.svg)
