2024年世界支付安全报告

Verizon Cyber Security Consulting About the cover The unfolded blueprint on the coveris a visual representation of programevaluation architecture with dimensions,specifications and boundaries for thestructured measurement of programperformance. Tucked inside is a partialcube—either under construction ordeconstruction. Through a series oflogical steps, the structure can evolveaccording to an increasingly matureblueprint design. “If you don’t measure it, you can’tmanage it” is an often-quoted businessmaxim. Organizations have yet tosufficiently formalize the methods,metrics and tools for measuring andoptimizing the management of their PCIsecurity program performance. Industry Data Security Standard(PCI DSS) post-implementationperformance evaluation. The ongoing investment andeconomical management of PCI DSScompliance prompts fundamentalquestions, such as: It’s not about cramming more activitiesinto an overloaded schedule. Whendone right, a well-constructed programmeasurement and evaluation planis about doing less by focusing onwhat matters most. To simplify yourcompliance performance evaluationmaturity, this report outlines anintegrated set of time-tested programevaluation methods and models. •How do you know that you aregetting the right work done in theright manner to help secure yourpayment card data and maintainsustainable compliance? The different colors of the blockspresent an abstract taxonomy ofprogram evaluation functions—such asprocesses (orange blocks), capabilities(blue blocks) and responsibilities(green blocks). •How should organizations measuresecurity control effectiveness,report their return on investment andexpress the business value of theirPCI security program? This concept is a continuation of thecover from our 2023 white paper,“Advanced PCI security programmanagement design,” which features a5x5 cube that depicts the complexityof security program management.The Verizon 2024 Payment SecurityReport cover is meant to convey thecritical next moves—Payment Card Without measuring and evaluating themost relevant metrics, your answers tothese questions are likely to be merelyyour best guess. There is no need toguess what your next five movesshould be to improve the maturityof your PCI security compliancemanagement capabilities. Table ofcontents 3 4 1 Appendices State of compliance Verizon Payment Security Report history6Executive summary7The compliance landscape11 Appendix A:The rise and risk of third-partyscripts in modern websites88Appendix B:A deeper dive into PCI securityperformance measurement andevaluation97Appendix C:PCI DSS compliance schedule105 The state of PCI DSS compliance43 Key requirements 1 through 12 1.Install and maintain networksecurity controls522.Apply secure configurations to allsystem components543.Protect stored account data564.Protect cardholder data withstrong cryptography duringtransmission585.Protect all systems and networksfrom malicious software606.Develop and maintain securesystems and software627.Restrict access to systemcomponents and CHD by business“need to know”688.Identify users and authenticateaccess to system components709.Restrict physical access tocardholder data7210.Log and monitor all accessto system components andcardholder data7411.Test security of systems andnetworks regularly7612.Support information securitywith organizational policiesand programs82Bottom-20 list84Methodology85 2 Commentary 17Evaluating PCI security program success18Evaluation of a corporatecompliance program20Effective security program evaluation23Integrating PCI security programevaluation frameworks26The 4 Lines of Assurance27The 7 Constraints of OrganizationalProficiency28Integrated program performanceevaluation29An overview of the 9 Factors of ControlEffectiveness and Sustainability31Evaluating control effectiveness33Evaluating program maturity39On measurement and maturity models40 Aboutthe report1 Each year, Verizon Cyber Security Consulting publishes thePayment Security Report or a white paper to highlight Verizon’sapproach to some of the most pressing payment securityconcerns in the industry. Our deep thought leadership keepsyou educated on how to problem solve challenges and navigatetrends and developments in the increasingly complex, evolvinglandscape of payment security. Our time-tested models,methods and techniques emerged from 20 years of researchhighlighted in this report. Readers are left with concrete,practical knowledge and the capabilities to help maintain andsustain their payment security programs year after year. Reader feedback The Payment Security Report is one ofthe essential elements to define long-term compliance with the challengesfacing us in the financial sector. As partof our multiple certifications, it helps usanticipate difficulties, define in the longterm the means to be put in place, and,consequently, maintain our level of securityand compliance.” Frank LavenantCISO, STET First published in 2010, the acclaimed report is wi