Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:56 PM
Connect Directly

Businesses Backsliding On PCI Compliance

Most merchants that achieve compliance then fall out of it the next year, according to new Verizon data

It's been six years since the Payment Card Industry Data Security Standard (PCI DSS) was born, but most organizations worldwide still aren't remaining PCI-compliant year-round.

According to Verizon's newly published 2011 Payment Card Industry Compliance Report, 79 percent of organizations were not fully PCI compliant in their initial PCI audit in 2010, while only 21 percent were. That's about the same as last year's report, according to Verizon.

"Most of the clients in this review had been compliant with us previously or when another QSA" wrote the initial report of compliance, and most weren't new to PCI, says Jen Mack, director of Verizon's global PCI consulting services. "They were not able to maintain it throughout the year. They backslid."

Mack says that trend is likely in part due to other priorities overshadowing PCI throughout the year, but the underlying problem is that many organizations are not focusing on PCI as a year-round, long-term process. "[They] need a programmatic approach to make this easier to maintain ... there's a way to do it."

The organizations were achieving compliance and then at the next initial assessment, basically starting all over again in their rate of compliance. "It's still a good standard and it's not impossible to achieve compliance," Mack says. "The biggest thing in our report this year is that people are not able to or are not making the effort to maintain their compliance throughout the year."

Mack says the key is to fit PCI DSS requirements into a daily routine and to not just look at them as requirements that must be met when the qualified security assessor (QSA) comes knocking.

Verizon's report comes from findings in more than 100 PCI DSS assessments performed by its QSAs last year, and from data gathered by its investigative response group's work on payment card breach investigations. The company also analyzed the PCI data with findings from its 2011 Verizon Data Breach Investigations Report.

Joshua Daymont, principal with Securisea, says some companies are better at maintaining compliance than others. And it also depends on the details of the compliance report: Say a firm is found to have only 30 percent of its client machines running antivirus in an assessment, and then brings those machines into compliance with AV software. "Let's say the assessor comes back the next year and finds they have drifted out with the AV requirement, but only two computers don't have AV: they might be a computer that has not been used in a long time ... or a new computer and there was some process failure. In the report, it would show that they were out of compliance in those items, but the qualitative risk exposure is quite different" this year, he says.

That doesn't excuse noncompliance, he says, but that's an example of how the devil's in the details with assessments.

Verizon's report also found that nearly 90 percent of companies that were hit with breaches were not PCI-compliant. PCI clients scored better than breach victims by a 50 percent margin when it comes to PCI compliance. "...breach victims are less compliant than a normal population of organizations," according to the report. "Though the disparity between the groups fluctuates per requirement, on average, PCI clients scored better than breach victims by a 50 percent margin. So while ‘prove’ may be too strong a word to use in this case, the results do suggest that an organization wishing to avoid breaches is better off pursuing PCI DSS than shunning it altogether."

Even more disconcerting, however, were the areas in which they are slipping the most: in protecting stored cardholder data; tracking and monitoring access; regularly testing systems and processes; and maintaining security policies.

The lack of logging is a big red flag, according to security experts. "This is an outrage. The PCI Data Security Standard is a pretty low bar as far as computer security goes. The fact that companies are having a hard time maintaining compliance with it speaks to the sorry state of data security in the Cloud Age," says Bill Roth, CMO of LogLogic. "Verizon’s report showed that PCI 10, which requires companies to log all activity in the network, is one of the top three standards companies are failing to meet. There’s no excuse for failing to meet this standard. It’s not that hard -- start an appliance, point your logs, done. This is our personal information. Companies need to show their customers more respect and implement decent security."

But the bottom line is that even with PCI compliance, breaches are still occurring. That's because attackers are able to adjust their techniques as companies shore up their defenses, says Securisea's Daymont. "That is likely to go on for some time," he says. "To me, the biggest takeaway here is that PCI has a lot of great requirements, and one is that merchants have to use AV ... but the reality is that many AV solutions today just haven't been able to stop malware threats."

There were some bright spots in the Verizon report as well. Some 78 percent of testing procedures had been met at the time of the initial assessment, and the use of encryption was on the increase, with 72 percent encrypting the transmission of cardholder data over open networks, up from 63 percent last year. Some 83 percent won't accept payment via email now. "In many instances, they are going beyond simply making it a policy and are backing it up with automated filtering at the mail servers that deny any e-mails containing cardholder data," says the Verizon report.

A copy of the full report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-12
HLOS could corrupt CPZ page table memory for S1 managed VMs in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM84...
PUBLISHED: 2019-12-12
Possible out of bounds write in a MT SMS/SS scenario due to improper validation of array index in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ805...
PUBLISHED: 2019-12-12
Incorrect length used while validating the qsee log buffer sent from HLOS which could then lead to remap conflict in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdra...
PUBLISHED: 2019-12-12
While Skipping unknown IES, EMM is reading the buffer even if the no of bytes to read are more than message length which may cause device to shutdown in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ809...
PUBLISHED: 2019-12-12
Crafted image that has a valid signature from a non-QC entity can be loaded which can read/write memory that belongs to the secure world in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastruc...