Verizon pre-released today its 2014 PCI (payment card industry) compliance report, which highlights the trends of compliance with the Payment Card Industry Data Security Standard (PCI DSS), which merchants, banks, credit card processing and other institutions follow to ensure the security of their cardholders' data. The release of this report follows yesterday's revelation by Brian Krebs that Target's massive security breach likely stemmed from network credentials that were stolen from a third-party HVAC vendor, which had been given external network access.
As it turns out, the PCI DSS has an entire requirement (section 8) devoted to authenticating users and a particular sub-requirement (8.3) devoted to authorizing access to users, such as vendors, outside the network. According to the Verizon report, only 24.2% of organizations that suffered a security breach in 2013 were compliant with Requirement 8 at the time of the breach.
The report states that over 80% of these breaches used single-factor username and password credentials and could have been avoided had two-factor authentication been used (two-factor authentication requires two methods to gain access to prove a user's identification - one is usually a physical token such as a card and the other is usually a password). Section 8.3 of the PCI DSS does indeed require two-factor authentication for users outside the network.
Still, the picture for the payment card industry overall is improving - 62.2% of companies covered in the report met all the demands of Requirement 8 in 2013, an increase of 39.6 percentage points on 2012.