Compliance with payment security features of the PCI data security standard (DSS) dropped significantly in 2014.
According to the 2015 PCI Compliance Report, 80 per cent of businesses fail their interim PCI compliance assessment, while less than a third (28.6 per cent) of companies had maintained full compliance within a year of validation, and no more than 74 per cent had sustained compliance with any individual Requirement.
Based on four years of data and including the results from thousands of PCI assessments conducted by Verizon’s team of PCI Qualified Security Assessors, the PCI Report is based on analysis of PCI Data Security assessment data.
This year’s findings indicate that only 28 percent of companies are still fully DSS-compliant less than a year after being validated. While annual compliance and ongoing control standard maintenance remains low, there is some positive news in the 2015 report. Also, of all the data breaches that the Verizon forensics team has investigated over the last ten years, not a single organisation was PCI DSS compliant at the time of the breach.
In an email to IT Security Guru, Kim Haverblad, Northern Europe professional services manager of the PCI practice at Verizon, said that the reason that less then a third of companies had maintained full compliance within a year of validation was because there has always been a number of areas where PCI DSS has been a challenge when it comes to implementing the controls, such as requirement 11 “Regularly test security systems and process”, which is frequently on our Bottom 20 list. “Often this is due to poor implementation, bad processes and procedures, or lack of awareness; not necessarily due to technology constrains,” he said.
Asked if he felt that the failure to comply led to the multiple payment breaches in 2014, Haverblad said: “While I don’t have any statistics to confirm whether this is a reason for an increase of so many payment breaches in 2014; it’s clearly a contributor if an organisation isn’t fully compliant and has gaps in their security layered model, which after all, PCI DSS does try to implement with the various security domains.
“Once you start to slip in one area it will have an impact on other supporting areas and without proper supporting processes and procedures one can often see negative spiral on compliance in an organisations.”
Of all the data breaches studied, Verizon’s findings clearly show that not a single company was fully PCI-compliant at the time of the breach and the two key areas where organisations fall out of compliance include regularly testing security systems and processes and maintaining firewalls.
Rodolphe Simonetti, managing director for Verizon’s PCI practice, said: “Given the volume and scale of data breaches in the last 12 months make it clear that current techniques are not stopping attackers – in many cases they aren’t even slowing them down. PCI DSS Compliance is must be viewed as part of a comprehensive information security and risk-management strategy. A PCI DSS assessment can uncover important security gaps that should be fixed, but it is no guarantee that the data is safe.”
Luther Martin, chief security architect at HP Security Voltage, said that the PCI standard describes a reasonable baseline of controls that everyone should follow, but how these are implemented is really determined by the particular configuration of a particular set of systems.
“Once those systems evolve, like they have to do to stay useful and relevant, it’s easy to end up with a configuration that isn’t as secure as the previous one,” he said. “When this happens, it’s easy to stop complying with the PCI DSS, as well as many other data security regulations. So the data that appears in Verizon’s recent report that suggests that organisation are having difficulty maintaining PCI DSS compliance shouldn’t come as a surprise to anyone.”
Adam Winn, manager of OPSWAT, said: “PCI-DSS is sometimes considered the poster child of effective an compliance program, and for good reason. Payment processing is a ripe target for attackers, as the payouts can be substantial for a successful attack. There’s a tangible connection to security when a consumer completes a transaction. This type of awareness creates a competitive environment where companies must maintain a high level of security, perceived or actual.
“This is in stark contrast to other industries – specifically healthcare and HIPAA. Consumers often lack any or all choice when it comes to selecting their health care provider, while hospitals and doctors do not advertise the security of their medical records systems, and consumers rarely consider the very real financial impact of medical record theft. For this reason, there’s comparatively less industry and consumer pressure to improve the state of HIPAA technical standards.”