Verizon PCI Report: Only 24% of Breached Organizations Compliant With Authentication Requirements

Verizon pre-released today its 2014 PCI (payment card industry) compliance report, which highlights the trends of compliance with the Payment Card Industry Data Security Standard (PCI DSS), which merchants, banks, credit card processing and other institutions follow to ensure the security of their cardholders' data. The release of this report follows yesterday's revelation by Brian Krebs that Target's massive security breach likely stemmed from network credentials that were stolen from a third-party HVAC vendor, which had been given external network access.

As it turns out, the PCI DSS has an entire requirement (section 8) devoted to authenticating users and a particular sub-requirement (8.3) devoted to authorizing access to users, such as vendors, outside the network.  According to the Verizon report, only 24.2% of organizations that suffered a security breach in 2013 were compliant with Requirement 8 at the time of the breach.

The report states that over 80% of these breaches used single-factor username and password credentials and could have been avoided had two-factor authentication been used (two-factor authentication requires two methods to gain access to prove a user's identification - one is usually a physical token such as a card and the other is usually a password).  Section 8.3 of the PCI DSS does indeed require two-factor authentication for users outside the network.

Still, the picture for the payment card industry overall is improving - 62.2% of companies covered in the report met all the demands of Requirement 8 in 2013, an increase of 39.6 percentage points on 2012.

Read More

FCC's Wheeler: We Can't Sit Around and Suck Eggs

Federal Communications Commission (FCC) Chairman Tom Wheeler today reiterated his view that the Commission must work quickly to assess the impact of radical changes in the communications landscape due to the rapid adoption of  Internet Protocol (IP) technology by communication network providers. Speaking at an event hosted by the National Journal following the FCC's launch of a series of trials aimed at measuring the impact of that transition, Wheeler said "if we sit around and suck eggs as the FCC did when it was sitting around saying 'should we use spectrum for cellular?' we will have incredibly adverse results for our economy."

Collecting real world data through research and trials before sanctioning the end of the old twisted copper-pair, analog-based public telephone network is crucial because "the thing I learned is that you get one shot," he said, referring to his long history in dealing with FCC policies. "The trials are going to give us the opportunity to collect the information that will help us to put together the components on that one shot.  You can’t do a Gilda Radner on this [and say] 'oh never mind.'

Wheeler also made a case that the current state of communications competition, in which most markets are served by only two dominant network providers, leaves a lot of room for improvement.  "IP means choices…vast choices in services.  There needs to be competition in the infrastructure that delivers those services," he said.

"While building IP networks is a highly capital intensive activity, operating IP networks [is] essentially cost-less. How do we make sure there is competition out there?  By having multiple choices for consumers [in] terms of facilities-based infrastructure."

Fostering competition in communications is a crucial economic issue as well as a consumer choice matter. "In order to have choice and competition in services it really helps to have choice and competition in the networks.  You can’t have an opportunity economy without having opportunity networks," he said.

Read More