skip to content

News

2017 PCI DSS Data Breach Trends

This is an overview of Security Metrics’ Payment Card Industry Forensic Investigation results from 2017. Non-Compliance Contributed to Data Breach.

The following is a list of how noncompliance with the different PCI requirements contributed to breaches for compromised organizations in 2017

Requirement 1: Protect your System with Firewalls
  • Yes: 30%
  • No: 52%
  • Information not available: 18%
Requirement 2: Use Adequate Configuration Standards
  • Yes: 33%
  • No: 5%
  • Information not available: 12%
Requirement 3: Secure Cardholder Data
  • Yes: 6%
  • No: 82%
  • Information not available: 12%
Requirement 4: Secure data Over Open and Public Networks
  • Yes: 15%
  • No: 79%
  • Information not available: 6%
Requirement 5: Protect System Antivirus
  • Yes: 6%
  • No: 82%
  • Information not available: 12%
Requirement 6: Update Your Systems
  • Yes: 39%
  • No: 49%
  • Information not available: 12%
Requirement 7: Restrict Access
  • Yes: 6%
  • No: 85%
  • Information not available: 9%
Requirement 8: Use Unique ID Credentials
  • Yes: 40%
  • No: 33%
  • Information not available: 27%
Requirement 9: Ensure Physical Security
  • Yes: 0%
  • No: 94%
  • Information not available: 6%
Requirement 10: Implement Logging and Log Monitoring
  • Yes: 73%
  • No: 12%
  • Information not available: 15%
Requirement 11: Conduct Vulnerability Scans and Penetration Testing
  • Yes: 64%
  • No: 6%
  • Information not available: 20%
Requirement 12: Start Documentation and Risks Assessments
  • Yes: 61%
  • No: 30%
  • Information not available: 9%
2017 Forensics Takeaways.
  • Cardholder Data was captured for an average of 237 days
  • 45% of organizations were breached through insecure remote access
  • The average organization was vulnerable for 1,549 days
  • 21% of organizations were breached through malicious code
  • Cardholder data was exfiltrated for an average of 264 days
  • 39% of organizations had memory-scraping malware installed on their system
  • 97% of organizations had firewalls in place at time of compromise; at least 15% of firewalls did not meet PCI requirements.


Source &Download Security Metrics.

Read More: Security Metrics Blog.