Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/29/2011
03:56 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Businesses Backsliding On PCI Compliance

Most merchants that achieve compliance then fall out of it the next year, according to new Verizon data

It's been six years since the Payment Card Industry Data Security Standard (PCI DSS) was born, but most organizations worldwide still aren't remaining PCI-compliant year-round.

According to Verizon's newly published 2011 Payment Card Industry Compliance Report, 79 percent of organizations were not fully PCI compliant in their initial PCI audit in 2010, while only 21 percent were. That's about the same as last year's report, according to Verizon.

"Most of the clients in this review had been compliant with us previously or when another QSA" wrote the initial report of compliance, and most weren't new to PCI, says Jen Mack, director of Verizon's global PCI consulting services. "They were not able to maintain it throughout the year. They backslid."

Mack says that trend is likely in part due to other priorities overshadowing PCI throughout the year, but the underlying problem is that many organizations are not focusing on PCI as a year-round, long-term process. "[They] need a programmatic approach to make this easier to maintain ... there's a way to do it."

The organizations were achieving compliance and then at the next initial assessment, basically starting all over again in their rate of compliance. "It's still a good standard and it's not impossible to achieve compliance," Mack says. "The biggest thing in our report this year is that people are not able to or are not making the effort to maintain their compliance throughout the year."

Mack says the key is to fit PCI DSS requirements into a daily routine and to not just look at them as requirements that must be met when the qualified security assessor (QSA) comes knocking.

Verizon's report comes from findings in more than 100 PCI DSS assessments performed by its QSAs last year, and from data gathered by its investigative response group's work on payment card breach investigations. The company also analyzed the PCI data with findings from its 2011 Verizon Data Breach Investigations Report.

Joshua Daymont, principal with Securisea, says some companies are better at maintaining compliance than others. And it also depends on the details of the compliance report: Say a firm is found to have only 30 percent of its client machines running antivirus in an assessment, and then brings those machines into compliance with AV software. "Let's say the assessor comes back the next year and finds they have drifted out with the AV requirement, but only two computers don't have AV: they might be a computer that has not been used in a long time ... or a new computer and there was some process failure. In the report, it would show that they were out of compliance in those items, but the qualitative risk exposure is quite different" this year, he says.

That doesn't excuse noncompliance, he says, but that's an example of how the devil's in the details with assessments.

Verizon's report also found that nearly 90 percent of companies that were hit with breaches were not PCI-compliant. PCI clients scored better than breach victims by a 50 percent margin when it comes to PCI compliance. "...breach victims are less compliant than a normal population of organizations," according to the report. "Though the disparity between the groups fluctuates per requirement, on average, PCI clients scored better than breach victims by a 50 percent margin. So while ‘prove’ may be too strong a word to use in this case, the results do suggest that an organization wishing to avoid breaches is better off pursuing PCI DSS than shunning it altogether."

Even more disconcerting, however, were the areas in which they are slipping the most: in protecting stored cardholder data; tracking and monitoring access; regularly testing systems and processes; and maintaining security policies.

The lack of logging is a big red flag, according to security experts. "This is an outrage. The PCI Data Security Standard is a pretty low bar as far as computer security goes. The fact that companies are having a hard time maintaining compliance with it speaks to the sorry state of data security in the Cloud Age," says Bill Roth, CMO of LogLogic. "Verizon’s report showed that PCI 10, which requires companies to log all activity in the network, is one of the top three standards companies are failing to meet. There’s no excuse for failing to meet this standard. It’s not that hard -- start an appliance, point your logs, done. This is our personal information. Companies need to show their customers more respect and implement decent security."

But the bottom line is that even with PCI compliance, breaches are still occurring. That's because attackers are able to adjust their techniques as companies shore up their defenses, says Securisea's Daymont. "That is likely to go on for some time," he says. "To me, the biggest takeaway here is that PCI has a lot of great requirements, and one is that merchants have to use AV ... but the reality is that many AV solutions today just haven't been able to stop malware threats."

There were some bright spots in the Verizon report as well. Some 78 percent of testing procedures had been met at the time of the initial assessment, and the use of encryption was on the increase, with 72 percent encrypting the transmission of cardholder data over open networks, up from 63 percent last year. Some 83 percent won't accept payment via email now. "In many instances, they are going beyond simply making it a policy and are backing it up with automated filtering at the mail servers that deny any e-mails containing cardholder data," says the Verizon report.

A copy of the full report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28488
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
CVE-2021-22847
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
CVE-2021-22849
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...