Companies getting better at PCI DSS compliance, finds Verizon

Verizon's fourth annual report into PCI DSS compliance finds that not a single breached company over the last decade has been fully compliant with PCI standards at the time of breach. However, there is at least light at the end of the tunnel.

Companies getting better at PCI DSS compliance, finds Verizon
Companies getting better at PCI DSS compliance, finds Verizon

The report, which is based on thousands of assessments in more than 30 countries worldwide, looks at 12 PCI compliance requirements including compliance in regards to PCI version 3.0, which is due to be superseded by 3.1 in the near future.

The headline statistics include that four in five (80 percent) companies fail an interim assessment, that not a single firm breached over the last decade had been fully compliant with PCI standards at the time of the breach and that only just over a quarter (28.6 percent) of companies were fully compliant again one year after successful validation.

In slightly more positive news, compliance was up for 11 out of 12 PCI DSS requirements between 2013 and 2014, with twice as many companies validated as compliant at the initial compliance review.

The average increase was 18 percentage points, with the biggest increase seen in authenticating access (Requirement 8).  The only area where compliance fell was for testing security systems (Requirement 11), which dropped from 40 to 33 percent. 

Approximately 20 percent of organisations achieved full compliance this year, compared to 11 percent last year and 7.5 percent in 2012.

As well as the effect on breaches, Verizon also highlighted the potential loss of business from not being compliant; 69 percent of surveyed consumers indicating that they would be less inclined to do business with a breached organisation.

“Compliance at a point in time isn't sufficient to protect data,” said Rodolphe Simonetti, managing director for Verizon's PCI practice. “Putting the focus on making compliance sustainable is key.  It must be a part of day-to-day activities within an organisation's greater security strategy.”

“Many organisations are taking the wrong approach to PCI DSS compliance,” 2-Sec CEO and ISSA-UK president Tim Holman told SCMagazineUK.com. “Instead of looking for creative ways around the problem, such as reducing the amount of cardholder data stored and/or outsourcing to fully compliant service providers, they're trying to tackle the problem in situ, and that's where they fail.  

“PCI DSS is a complex beast, and it only works on a well-defined scope, that a merchant has already made significant efforts to reduce.  It's where merchants just try and apply PCI to everything, without making changes to the way they handle payment processing, that things go wrong and data breaches happen.”

Chris Oakley, principal security consultant at Nettitude, added in an email to SC: “Experience suggests that organisations are increasingly using PCI compliance as an important guide for their cyber-security strategy.  Historically it was often viewed as a necessary evil required in order to do business online.  A number of high profile breaches in recent years have, perhaps, altered that view.  PCI compliance is now, more often than not, the thin end of the wedge for developing a culture of robust security.  

“There will always be organisations that view compliance as a tick box exercise, but the Verizon report is pleasantly surprising because it suggests that this outlook is decreasing. This is in line with what we're observing in the real world. 

“It is disappointing, however, to see that basic and fundamental security defences are still not the norm. For example, the report states that requirement two, “Do not use default passwords or security parameters”, is only complied with in 67 percent of organisations. It should not take PCI DSS for individuals to realise that using default credentials is a high risk practice; even home users are typically aware of that risk.”  

Meanwhile, Matthew Tyler, CEO of security and compliance consultancy Blackfoot, told SC that PCI continues to be geared up for the wrong purposes, saying that security and compliance are different things and that adhering to the standard is impossible when breaches can last for months and changes are made to networks on a daily basis.

He said that despite the report's findings, he had himself seen “a really bad year [for the industry] with record data card breaches” and said that compliance costs were rising, without any notable increase in security.

“There's a big difference between compliance and security and we're building a tick-box culture. Compliance gives you costs, but security gives you security”.

He added on PCI that – with 300 questions to be answered on the self-assessment questionnaire – “no-one business can be compliant all the time.” He hopes changes will be made with upcoming PCI DSS 3.1 and eventually hopes of a ‘culture change' where trusted vendors, such as Apple with Apple Pay and PayPal, act as the go-between between the user and retailer.

Benjamin Hosack, director at QSA Foregenix, added:  “As the cost of cyber-crime has reached £3.56 million in the UK, it's worrying that merchants are still not taking payment security seriously.  Businesses need to ensure that security is baked into their payment systems and becomes a part of their normal business operations.

“The recently launched Version 3.0 of the PCI DSS should encourage this and we'd highly recommend that the PCI DSS forms the basis of a business' cyber-security strategy. Online merchants are being targeted the most frequently so e-commerce businesses should be looking carefully at how to effectively protect their businesses in the face of the rising levels of attacks.”