Businesses Backsliding On PCI Compliance

It's been six years since the Payment Card Industry Data Security Standard (PCI DSS) was born, but most organizations worldwide still aren't remaining PCI-compliant year-round.

According to Verizon's newly published 2011 Payment Card Industry Compliance Report, 79 percent of organizations were not fully PCI compliant in their initial PCI audit in 2010, while only 21 percent were. That's about the same as last year's report, according to Verizon.

"Most of the clients in this review had been compliant with us previously or when another QSA" wrote the initial report of compliance, and most weren't new to PCI, says Jen Mack, director of Verizon's global PCI consulting services. "They were not able to maintain it throughout the year. They backslid."

Mack says that trend is likely in part due to other priorities overshadowing PCI throughout the year, but the underlying problem is that many organizations are not focusing on PCI as a year-round, long-term process. "[They] need a programmatic approach to make this easier to maintain ... there's a way to do it."

The organizations were achieving compliance and then at the next initial assessment, basically starting all over again in their rate of compliance. "It's still a good standard and it's not impossible to achieve compliance," Mack says. "The biggest thing in our report this year is that people are not able to or are not making the effort to maintain their compliance throughout the year."

Mack says the key is to fit PCI DSS requirements into a daily routine and to not just look at them as requirements that must be met when the qualified security assessor (QSA) comes knocking.

Verizon's report comes from findings in more than 100 PCI DSS assessments performed by its QSAs last year, and from data gathered by its investigative response group's work on payment card breach investigations. The company also analyzed the PCI data with findings from its 2011 Verizon Data Breach Investigations Report.

Joshua Daymont, principal with Securisea, says some companies are better at maintaining compliance than others. And it also depends on the details of the compliance report: Say a firm is found to have only 30 percent of its client machines running antivirus in an assessment, and then brings those machines into compliance with AV software. "Let's say the assessor comes back the next year and finds they have drifted out with the AV requirement, but only two computers don't have AV: they might be a computer that has not been used in a long time ... or a new computer and there was some process failure. In the report, it would show that they were out of compliance in those items, but the qualitative risk exposure is quite different" this year, he says.

That doesn't excuse noncompliance, he says, but that's an example of how the devil's in the details with assessments.

Verizon's report also found that nearly 90 percent of companies that were hit with breaches were not PCI-compliant. PCI clients scored better than breach victims by a 50 percent margin when it comes to PCI compliance. "...breach victims are less compliant than a normal population of organizations," according to the report. "Though the disparity between the groups fluctuates per requirement, on average, PCI clients scored better than breach victims by a 50 percent margin. So while ‘prove’ may be too strong a word to use in this case, the results do suggest that an organization wishing to avoid breaches is better off pursuing PCI DSS than shunning it altogether."

Even more disconcerting, however, were the areas in which they are slipping the most: in protecting stored cardholder data; tracking and monitoring access; regularly testing systems and processes; and maintaining security policies.

The lack of logging is a big red flag, according to security experts. "This is an outrage. The PCI Data Security Standard is a pretty low bar as far as computer security goes. The fact that companies are having a hard time maintaining compliance with it speaks to the sorry state of data security in the Cloud Age," says Bill Roth, CMO of LogLogic. "Verizon’s report showed that PCI 10, which requires companies to log all activity in the network, is one of the top three standards companies are failing to meet. There’s no excuse for failing to meet this standard. It’s not that hard -- start an appliance, point your logs, done. This is our personal information. Companies need to show their customers more respect and implement decent security."

But the bottom line is that even with PCI compliance, breaches are still occurring. That's because attackers are able to adjust their techniques as companies shore up their defenses, says Securisea's Daymont. "That is likely to go on for some time," he says. "To me, the biggest takeaway here is that PCI has a lot of great requirements, and one is that merchants have to use AV ... but the reality is that many AV solutions today just haven't been able to stop malware threats."

There were some bright spots in the Verizon report as well. Some 78 percent of testing procedures had been met at the time of the initial assessment, and the use of encryption was on the increase, with 72 percent encrypting the transmission of cardholder data over open networks, up from 63 percent last year. Some 83 percent won't accept payment via email now. "In many instances, they are going beyond simply making it a policy and are backing it up with automated filtering at the mail servers that deny any e-mails containing cardholder data," says the Verizon report.

A copy of the full report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.