Risk

3/12/2015
07:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

7 In 10 Businesses Struggle To Sustain PCI Compliance

Maintaining PCI compliance is a bigger challenge that achieving it for many companies, Verizon study finds.

For many companies, maintaining compliance with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) appears to be more challenging than actually achieving it.

A new survey by Verizon on the state of PCI compliance among organizations that handle debit and credit card data shows that more companies than ever are achieving some form of compliance with the requirements of the standard.

Verizon reviewed (registration required) quantitative data from PCI assessments that it conducted over the last two years at customer locations and from data breach investigations it conducted for clients over the same period. The data showed that between 2013 and 2014, compliance rates went up substantially for 11- out of 12 major PCI requirements among companies required to meet the standard. The only area where compliance rates fell during the same period pertained to security testing. About 20 percent of the companies reviewed were fully compliant with all PCI requirements at interim assessment, compared to just over 11 percent in 2013 and barely 7.5 percent in 2012.

Despite such progress, 7 out of 10 companies that achieve PCI compliance fail to maintain that status even for a year. Verizon’s research showed that only 28.6 percent of companies managed to remain compliant for the full year between annual assessments.

A lot of that has to do with the continued failure by companies to implement robust measures for managing and maintaining compliance, once they have achieved it, says Andi Baritchi, global managing principal at Verizon and one of the authors of the report.

It’s common for organizations to conflate validation and compliance, Baritchi says. "Compliance means doing all of the things that PCI says you need to do during the year,” he said. “The assessment is merely a snapshot in time. It validates that Company X is compliant,” based on a specific assessment at a specific point in time.

Companies that suffer data breaches are often quick to note that they had been validated for compliance within the past year. But that doesn’t mean that they were in fact compliant at the time of the breach, Baritchi said. In fact, data from the past 10 years shows, that not a single company that suffered a data breach was compliant with PCI requirements at the time of the incident, he said.

“This leads us to the question: has compliance become too complex, preventing organizations from looking at the 'big picture'?” says Dave Oder, CEO of Shift4 Corp. “Organizations that focus on compliance, and jump through all of PCI¹s hoops, may achieve compliance for a moment in time."

But it is only organizations that are looking to be secure at all times that will find compliance easier to achieve and maintain, he says.

The 84-page Verizon report highlights the multiple factors that impact an organization’s ability to maintain compliance on a sustained basis. From a technical standpoint, the complexity of systems in an IT environment, the architectural design, the physical location of systems and the manner in which they are interconnected, can impact the level of investment and effort needed to maintain compliance, the report noted.

Similarly, an organization’s ability to sustain compliance at an operational level depends on factors like the proficiency of its IT organization and the culture of the organization regarding adherence to policies. The degree to which strategic, business, and data protection objectives are aligned can also impact compliance sustainability in a big way, Verizon said in its report.

“It is not uncommon for executives to make strategic business decisions (like changes to sales channels and mergers) without considering the potential impact on information security and compliance, and how that might affect the business case,” the report said.

The PCI Security Standards Council, which administers the standard, has somewhat controversially insisted for some time that organizations who implement and maintain compliance with all of PCIs requirements will not get breached. It has noted, like Verizon does in its report, how every single company that has suffered a payment card data breach was also not PCI-compliant.

In a statement responding to the Verizon report, the PCI Council’s general manager Stephen Orfei reiterated those sentiments. “Often an organization’s approach to PCI security is to focus on passing the annual compliance assessment,” he said. But this only the start, he noted.

“Only a combination of people, process and technology, and a focus on making security a ‘business-as-usual’ practice will help thwart [security threats],” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
3/13/2015 | 11:07:51 AM
The PCI Farce
If a compliance program is so complex and ineffable that it can only be validated at the precise moment of observation, isn't the notion of compliance certification essentially a farce? Unless you're going to compell organizations to pay for constant third-party assessments to ensure compliance, what's the point of the program?
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Siri??  You're a guy?
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-10727
PUBLISHED: 2018-07-20
camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive ...
CVE-2018-8018
PUBLISHED: 2018-07-20
Apache Ignite 2.5 and earlier serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a spe...
CVE-2018-14415
PUBLISHED: 2018-07-20
An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.
CVE-2018-14418
PUBLISHED: 2018-07-20
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
CVE-2018-14419
PUBLISHED: 2018-07-20
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.