1. The first table listed the 12 main PCI-DSS requirements and the potential scope reduction possible.
2. The second table detailed the possible scope reduction for all 200+ individual PCI-DSS requirements.

Within the 2011 Verizon Data Breach Investigation Report, there was a table based on post-breach reviews that documents the percent of investigated organizations that were compliant with each of the specific 12 PCI-DSS requirements. The table included data from the 2008, 2009 and 2010 Verizon reports as well as the 2010 PCI Compliance Report.

I thought it would be interesting to compare the table of PCI-DSS requirements as documented by Coalfire in the E3 assessments to the average of the four reports that Verizon listed (last column). This highlights the requirements that were deemed by Verizon the most difficult to achieve and maintain compliance on and how E3 can reduce the scope of those requirements. By reducing PCI scope by implementing encryption, business owners can focus more on complying with the other requirements and ultimately lower the risk of having data stolen.

The icons represent the values listed below for the percentages of compliance.

Here are some of the highlights:

• 92% of attacks were not highly difficult
• 96% of breaches were avoidable through simple or intermediate controls
• 89% of victims subject to PCI-DSS had not achieved compliance
• 83% of victims were targets of opportunity
• 57% of investigations were businesses with 11-100 employees
• 40% of breaches were in the hospitability industry (restaurants and hotels)

These statistics show that PCI-DSS validation and ongoing compliance are no guarantee against suffering a data breach, as 11% of those deemed compliant were still breached. It does demonstrate that adhering to PCI-DSS and doing the basics of data security put the odds of protecting your business in your favor. The fact that 83% of the victims were targets of opportunity rather than specifically targeted also backs this up.

So, were small and medium sized businesses (especially restaurants and hotels) breached more because they were easier targets?  There may be more to it than that. The report made an interesting point:

“Criminals may be making a classic risk vs. reward decision and opting to ‘play it safe’ in light of recent arrests and prosecutions following large scale intrusions into Financial Services firms. Numerous smaller strikes on hotels, restaurants, and retailers represent a lower-risk alternative, and cybercriminals may be taking greater advantage of that option.”

The most important thing business owners of all types and sizes can learn from looking back in this year-in-review of data breaches is how to protect themselves moving forward. While the threat landscape continues to evolve, Heartland’s E3™ end-to-end encryption solution remains one of the most effective and cost-efficient ways to ensure your business is protected … and hopefully not one of the incidents used by the Verizon RISK Team in its 2012 Report.

Winning a seat on the Board is a testament to Heartland as an organization, our groundbreaking E3™ end-to-end encryption technology and our security-centric approach to business.

Comprised of 21 members representing a broad range of organizations, the Board will provide strategic and technical guidance as the Council continually develops security standards and seeks to raise awareness and compliance with its guidance.

The PCI SSC is a crucial organization for the payments community, as well as merchants large and small. Strong, effective security standards and industry collaboration are mission critical in our collective fight against international gangs of professional cybercriminals, and I look forward to kicking off the term in June with my fellow Board members to help safeguard all stakeholders in the payments ecosystem.

If your business takes payment over the phone, credit card data is exchanged to complete the transaction. If these calls are recorded and stored for future listening, that credit card information may be sitting in the clear … and vulnerable. It’s not rocket science, but it’s something many business owners unknowingly overlook.

To provide merchants guidance on how to securely process and store card data over the phone, the Payment Card Industry (PCI) Council released guidance on the topic in its March 18 Protecting Telephone-Based Payment Card Data Information Supplement. The main directive? “If you don’t need it, don’t store it,” said Jeremy King, European regional director for the PCI Security Standards Council in a recent interview. Learn more about PCI guidance for call centers.

This is just one example of payment card data that may be “hiding” right under your nose. Do you use an automated voice response system or interactive voice response (IVR) system? If so, those programs are likely storing sensitive card information.  Do you have surveillance systems or security cameras that videotape merchants or employees at your business? Make sure the footage doesn’t include computer or payment terminal footage, which could reveal payment card data. What about excel spreadsheets used to track data? If payment card information is stored there, you’re also subject to PCI regulations.

Carefully examine your business to determine other places where data may be “hiding” so you can take steps to secure it — and your business. You may also want to consider hiring an approved scanning vendor (ASV) who will thoroughly review your systems and can help you identify and rectify vulnerabilities.

It’s no secret the payments ecosystem is vulnerable. Much like the Internet, the payments infrastructure was developed for connectivity — not for security. Now, in the face of serious threats, the industry is playing catch up to safeguard it.

Today, wherever you see mention of payment card data security, “encryption” is sure to follow. Industry analysts, like Gartner’s Avivah Litan, are vocal in their support of end-to-end encryption. In a recent Computerworld blog, she notes, “End-to-end encryption … is a good security practice, but one which is not mandated.”

Before we can reach the point of requiring merchants to implement end-to-end encryption, we must address the nature of encryption itself. Not all encryption is created equal. Software-based encryption is a nice to have, but not as secure as hardware-based encryption. Encrypting data after it has passed through a merchant system in the clear is quite different than encrypting data the moment a card is swiped in a hardware-protected tamper-resistant security module (TRSM). Protecting data during disparate stages of the transaction lifecycle, like point-to-point encryption, is hardly the same as protecting it continuously throughout the entire lifecycle, like true end-to-end encryption.

This is exactly why the industry needs encryption standards. By providing standard security requirements to govern the use of encryption to secure payment card data, merchants will be able to know plain and simple if they’re protecting their businesses from the reputational and financial risks associated with data breaches.

Last year, the Secure POS Vendor Alliance introduced its end-to-end encryption security requirements for vendors of POS devices.  The American National Standards Institute (ANSI) accredited standards committee, ASC X9 F6, is close to completion of a true standard. These are significant steps in the right direction.

Encryption standards can’t come soon enough, but the lack thereof shouldn’t stop business owners from implementing true end-to-end encryption solutions today.

• Review PCI regulations
• Explain how to achieve compliance
• Uncover how third-party service providers can help lower – but never eliminate – PCI scope
• Debunk PCI myths, and
• Explore helpful resources at your disposal

To learn more and register, visit 1card.com/webinars today!

• Paul Rasori – SPVA Chairman
  VeriFone, Senior Vice President, Global Marketing
• Christopher Coonen – SPVA Vice Chairman / Chief Technical Officer
  Ingenico, EVP, Global Solutions, Sales & Marketing
• T.K. Cheung – SPVA Secretary / Treasurer
  Hypercom, VP Global Quality & Security
• Thomas Xu – SPVA General Member Director
  PAX Technology, Ltd., Vice President, Marketing & Sales

The SPVA has been instrumental in strengthening payment security standards across the globe with its end-to-end encryption security requirements targeted for vendors of POS devices. Under the guidance of these leaders, the SPVA is sure to continue making significant contributions to the security of the paymens ecosystem in 2011 and beyond.

• At least 75% of their Visa contact and contactless card transaction originate from EMV chip-enabled terminals
• They have either previously validated PCI DSS compliance or have provided a plan to come into compliance
• They have not been involved in a recent material breach of cardholder data.

But, the US is on the sidelines for now. Citing uncertainty stemming from impending federal regulations on debit cards, Visa’s program excludes US merchants. Politics aside, we at Heartland continue to stand firm in our support of EMV as a critical layer of data protection and this movement represents a significant step forward in the wide-spread adoption of the technology.

While merchants in the US cannot participate in Visa’s program as of yet, they can drastically reduce the costs of PCI compliance and validation today by adopting advanced encryption technologies, like Heartland’s E3™ end-to-end encryption. E3 can reduce PCI scope by up to 79% — which translates to significant cost savings on assessment and validation.

Business owners should also be forward thinking about their technology investments. They should be looking for EMV-enabled terminals — like Heartland’s E3 terminal — so they’re prepared when EMV takes off in this country. Our 11,150 E3 merchants are ready and waiting …

This morning Computerworld revealed its “Premier 100 IT Leaders” – the year’s best and brightest information technology professionals. These leaders are at the helm of profound innovation, delivering game-changing technologies and measurable business value for their organizations and their customers.

Congratulations to all of these leaders, including Heartland’s very own Steve Elefant for his pioneering work in end-to-end encryption and payment card data security!

How do we know this? The rapid and compelling adoption of our E3™ end-to-end encryption technology. More than 10,000 retailers and business owners of all sizes are now using E3 to safeguard their payments (with our standalone terminal or the USB MSR wedge), a number that has grown exponentially since E3’s launch in May of 2010. These merchants recognize that cyber security threats are ever-evolving and that they need to take proactive measures to safeguard their businesses and their customers. Some in the industry initially questioned this adoption — but when armed with a simple, cost-effective solution, no business is too small to effectively fight off the bad guys.

If you’re not one of the more than 10,000 merchants currently using E3, find out how you can start today.