It’s around six months since the initial guidelines for the third version of the PCI data security standard were published.
What caught my eye were the introduction of penetration testing factors and requirement 12 to “ensure that the security policy and procedures clearly define information security responsibilities for all personnel”. An interesting study appeared afterwards from Verizon, who ahead of their data breach investigations report, released some interesting statistics around PCI DSS compliance.
Report author Ciske van Oosten found that despite there being an improvement in the number of companies achieving compliance with the payment card industry data security standard (PCI DSS), only 40 per cent of surveyed companies complied with requirement 11 – specifically about regularly testing environments. Since version 3.0 of the standard requires penetration testing, he said that at the time of the baseline assessment, only 40 per cent of companies were compliant.
The survey by Verizon found that there was a 28.7 per cent increase in compliance with the requirement; this was the least complied with requirement. van Oosten said that this was about companies that fail to implement a network vulnerability program, where they maintain vulnerability scans and penetration tests, to test the effectiveness of their systems.
Based on findings from hundreds of PCI DSS assessments, conducted by Verizon’s team of PCI Qualified Security Assessors (QSAs) over the last two years, the report did find 51 per cent of firms passed on seven of the requirements, but only 11 per cent complied with all of the DSS requirements.
“This highlights the issue of maintaining compliance and this is something that we see as an issue in the industry,” he said.
“There are various reasons why Europe have a perceived lower level of PCI DSS compliance at the time of a baseline compliance assessment. The attention on compliance, and promoting PCI Security is relatively lower in various European countries.”
Asked why Europe would be lower in levels of compliance, he said that Europe is a complex region with many countries and some unique challenges in comparison to other regions, such as North America.
He said: “Comparing Western Europe where organisations may have higher levels of data protection maturity, but have older payment card technology in terms of infrastructure and applications, often struggle to get these legacy systems compliant with PCI Security requirements.
“In comparison, countries in the Baltics, or other Eastern European regions, for example, may have relatively newer payment infrastructure and systems, and can reach compliance quicker. They may experience fewer delays during initial compliance due to dealing with legacy system-related compliance issues. Yet, these organisations also tend to initially lower levels of information security maturity.”
Looking at some of the other findings, van Oosten’s report showed that there are various organisations in Europe that do not apply the required focus on data protection and compliance. “PCI Security requires organisations to have effective log monitoring systems and response procedures in place. The ability to detect suspected attacked, and respond to data breaches sooner, is often what determines the overall impact and eventual outcome of a data breach,” he said.
To substantiate this, the report found that 73 per cent of businesses were compliant with requirement 12 – ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
Van Oosten said that this shows PCI Security compliance needs to be approached within a wider context; with a sound and integrated corporate strategy around risk management, policies, and security governance, also integrating people, process and technology to make data protection part of “business-as-usual” – and not a once a year activity merely for compliance purposes.
For requirement 4, “encrypt transmission of cardholder data across open, public networks”, the report found that 68 per cent of respondents complied with this requirement. However, there was a bright spot in the report: organisations’ initial compliance with the PCI standard has shown some improvement as in 2013, more than 82 per cent of organisations were compliant with at least 80 per cent of the PCI standard at the time of their annual baseline assessment, compared to just 32 per cent in 2012.
In a year which has seen retailers breached, and subsequently the compliance framework questioned, maybe things are slowly improving bit by bit and this can only be a positive thing.
Ciske van Oosten, PCI Security Services EMEA senior manager at Verizon Business, was talking to Dan Raywood.