Endpoint

8/31/2017
12:20 PM
50%
50%

Verizon Report: Businesses Hit with Payment Card Breaches Not Fully PCI-Compliant

Companies struggle to maintain PCI compliance within a year of meeting it, according to a new payment security report by Verizon.

The number of businesses achieving full compliance with their annual Payment Card Industry Data Security Standard (PCI DSS) review reached a record 55.4% last year, but nearly half of companies fall out of compliance within a year, according to the Verizon 2017 Payment Security Report released today.

Even more telling: in all of the nearly 300 payment card data breaches that Verizon investigated in 2010 to 2016, the businesses hit were not fully PCI DSS-compliant at the time of their breach.

"There has been a year-over-year increase in the number of companies that are able to meet the first initial interim validation [first attempt] and that's great news. But is that good enough?" says Ron Tosto, global manager of the Verizon PCI Advise and Assessment Services. "We know that a number of these companies are not able to stay in compliance and only make it to the nine-month mark."

[Source: Verizon 2017 Payment Security Report]

Nearly half of companies reviewed by Verizon's qualified security assessors last year failed to reach full compliance in the initial review.

PCI DSS is comprised of 12 security requirements that businesses are expected to comply with if they accept, process, or store payment card information. And within each of these requirements, there are specific security actions that need to be performed, otherwise known as controls, to remain in compliance. There are over 200 controls in total, and PCI DSS regularly revises them, potentially making it difficult to remain compliant.

Although there are no federal laws that require companies to comply with PCI DSS, banks and the payment card brands such as, Visa, Mastercard, American Express, and Discover, as well as some states, enforce the requirements and will levy fines and penalties for non-compliance. The Payment Card Industry Security Standards Council (PCI SSC), meanwhile, is responsible for managing the standards.

Degree of Difficulty

The report found that nearly half of the companies that pass compliance will fall out of it within a year or sooner. Companies have 60 days from their initial review to become compliant. Once that is achieved, they receive a final PCI DSS compliance report, which must be revaluated again 12 months later.

"Compliance is incredibly challenging because you never fully arrive. It's a process that must be managed day in and day out. It requires that everyone in the organization own their part in security, which integrates with how they get their job done." says Dawn Koenninger, a vice president at SOLE Financial, which manages a payroll card program and is currently PCI DSS compliant. "Not easy to do when you're in high growth mode. You must have buy-in at all levels, but most importantly from the top." 

The security testing requirement in PCI DSS continues to top the list of requirements that are difficult to comply with. Only 71.9% of companies are able to fully comply with this requirement when initially evaluated, Verizon found. This requirement calls for vulnerability scanning, penetration testing, use of intrusion detection, and file integrity monitoring.

"To be effective, testing has to be on a routine basis and follow any major change to an operating environment. Following the companies have to understand the findings, remediate the issues, then retest the environment," Tosto says. "Common mistakes include missing periodic testing, taking action to correct security issues found documented in the test report, and not validating the security issue correction with a retest."

Some companies don't fully grasp the differences between the types of testing within Requirement 11 of the PCI DSS, he notes. He recommends companies fully understand testing and develop testing control effectiveness using the Pin Security Requirements (PSR) as a guide.  

PCI DSS's requirement #6 - develop and maintain secure systems - and requirement #12, maintain a policy that addresses information security for all personnel, ranked among the second most difficult to achieve full compliance, with each only garnering success among 77.7% of the companies initially evaluated.

Companies that failed their initial compliance review last year were also missing more controls than in the previous year, the report found. Companies were missing an average of 13% of the controls overall last year, whereas the previous year it was 12.4%.

Source of the Pain

Meeting PCI DSS requirements is like training to be a long-distance runner, Tosto says:  "A runner doesn't show up to run on day one, they practice," he says.

But he notes there are common challenges companies face to make those "practice" sessions happen. A shortage of IT security workers, an insufficient security budget, and an absence of a process to keep the maintenance of the requirement controls in place, are the three main contributors that make it challenging for companies to meet and maintain PCI DSS compliance, Tosto says.

Troy Leach, chief technology officer of the PCI Security Standards Council, agrees those three challenges can trip up a company in their compliance efforts, especially the one when it comes to developing a maintainable process.

When the person heading up a business' PCI compliance process leaves the company, for example, that can disrupt compliance, he says, as can a merger. A documented process should be put in place, he notes.

"Your people and technology may change, but if the process remains the same, it will not have as great of an impact," Leach says.

Avivah Litan, a Gartner analyst, says budget and funding to fulfill the PCI DSS requirements weigh heavy on the minds of CISOs. "When I talk to CISOs in the hotel and restaurant industries, they are frustrated they can't get the CEO's support," Litan says. "They [CEOs] say, 'why fund it when we haven't had a breach?'"

Verizon's report shows that IT services achieved the highest level of compliance, with 61.3% hitting the mark during evaluation process, followed by financial services, 59.1%; and retail, 50%. Less than 43% of the hospitality industry, which includes hotels, was compliant.

Litan says PCI DSS compliance should fall on the payment card brands and banks - not on merchants. "The standards are unrealistic for merchants to meet because this is not their business and core competency," she says. "It should fall on the banks to develop a secure system."

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
pdantini06901
50%
50%
pdantini06901,
User Rank: Apprentice
9/2/2017 | 11:42:02 PM
pci compliance
The responsibility of maintaining a secure credit card processing environment must rest with credit card processing companies.  A small business can secure their network and data with a certain set of clear rules but the rules as written would be a challange for a security Specialist to implement in a small business environment with a small budget.  The point of paying a discount fee and processing fees for a small business is to insure that the majority of the risk is assumed by the credit card processor.  If the current environment continues I see a time where other forms of payment will be preferred by small business and the majority processors left wondering what occured to their volume/business.  

 

menuisier69
50%
50%
menuisier69,
User Rank: Apprentice
9/6/2017 | 5:13:13 AM
Re: pci compliance
who trust in payment card anymore ?
xanthan99
50%
50%
xanthan99,
User Rank: Strategist
9/5/2017 | 10:30:03 AM
...a journey not a destination
Boss: You're telling me if we're PCI-DSS compliant we can get a better processing rate from the bank?

Security Professional: Yes, but we need to remain compliant year over year.

Boss: Ah yeah, but our sales margin will improve?

Security Professional: Yes, but we have to dedicate an ongoing level of effort to staying compliant!

Boss: Yeah, yeah but it will improve profitability!

Security Professional: But there is a tech cost.

Boss: Cost? of course, we'll buy you guys a new high-end coffee maker!

 
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.