Risk

3/12/2015
07:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

7 In 10 Businesses Struggle To Sustain PCI Compliance

Maintaining PCI compliance is a bigger challenge that achieving it for many companies, Verizon study finds.

For many companies, maintaining compliance with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) appears to be more challenging than actually achieving it.

A new survey by Verizon on the state of PCI compliance among organizations that handle debit and credit card data shows that more companies than ever are achieving some form of compliance with the requirements of the standard.

Verizon reviewed (registration required) quantitative data from PCI assessments that it conducted over the last two years at customer locations and from data breach investigations it conducted for clients over the same period. The data showed that between 2013 and 2014, compliance rates went up substantially for 11- out of 12 major PCI requirements among companies required to meet the standard. The only area where compliance rates fell during the same period pertained to security testing. About 20 percent of the companies reviewed were fully compliant with all PCI requirements at interim assessment, compared to just over 11 percent in 2013 and barely 7.5 percent in 2012.

Despite such progress, 7 out of 10 companies that achieve PCI compliance fail to maintain that status even for a year. Verizon’s research showed that only 28.6 percent of companies managed to remain compliant for the full year between annual assessments.

A lot of that has to do with the continued failure by companies to implement robust measures for managing and maintaining compliance, once they have achieved it, says Andi Baritchi, global managing principal at Verizon and one of the authors of the report.

It’s common for organizations to conflate validation and compliance, Baritchi says. "Compliance means doing all of the things that PCI says you need to do during the year,” he said. “The assessment is merely a snapshot in time. It validates that Company X is compliant,” based on a specific assessment at a specific point in time.

Companies that suffer data breaches are often quick to note that they had been validated for compliance within the past year. But that doesn’t mean that they were in fact compliant at the time of the breach, Baritchi said. In fact, data from the past 10 years shows, that not a single company that suffered a data breach was compliant with PCI requirements at the time of the incident, he said.

“This leads us to the question: has compliance become too complex, preventing organizations from looking at the 'big picture'?” says Dave Oder, CEO of Shift4 Corp. “Organizations that focus on compliance, and jump through all of PCI¹s hoops, may achieve compliance for a moment in time."

But it is only organizations that are looking to be secure at all times that will find compliance easier to achieve and maintain, he says.

The 84-page Verizon report highlights the multiple factors that impact an organization’s ability to maintain compliance on a sustained basis. From a technical standpoint, the complexity of systems in an IT environment, the architectural design, the physical location of systems and the manner in which they are interconnected, can impact the level of investment and effort needed to maintain compliance, the report noted.

Similarly, an organization’s ability to sustain compliance at an operational level depends on factors like the proficiency of its IT organization and the culture of the organization regarding adherence to policies. The degree to which strategic, business, and data protection objectives are aligned can also impact compliance sustainability in a big way, Verizon said in its report.

“It is not uncommon for executives to make strategic business decisions (like changes to sales channels and mergers) without considering the potential impact on information security and compliance, and how that might affect the business case,” the report said.

The PCI Security Standards Council, which administers the standard, has somewhat controversially insisted for some time that organizations who implement and maintain compliance with all of PCIs requirements will not get breached. It has noted, like Verizon does in its report, how every single company that has suffered a payment card data breach was also not PCI-compliant.

In a statement responding to the Verizon report, the PCI Council’s general manager Stephen Orfei reiterated those sentiments. “Often an organization’s approach to PCI security is to focus on passing the annual compliance assessment,” he said. But this only the start, he noted.

“Only a combination of people, process and technology, and a focus on making security a ‘business-as-usual’ practice will help thwart [security threats],” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
3/13/2015 | 11:07:51 AM
The PCI Farce
If a compliance program is so complex and ineffable that it can only be validated at the precise moment of observation, isn't the notion of compliance certification essentially a farce? Unless you're going to compell organizations to pay for constant third-party assessments to ensure compliance, what's the point of the program?
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Search Cybersecuruty and you will get unicorn.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.