Verizon's 2014 Compliance report comes ahead of some significant milestones set for the year ahead. PCI DSS turns ten years old, version 2.0 expires on December 31st and, the following day, DSS 3.0 becomes effective, mandatory and validation assessments begin.
But this latest report found that compliance numbers remain in the double digits, at least when judged against the 12 requirements, and revealed that less compliant organisations are more likely to be breached. This is clearly a big trend given the data breaches suffered by Target, Neiman Marcus and Michaels Stores in the US, while a dated report from Nilson last August found that global card fraud losses reached £6 million (US$ 10 billion) in 2012.
Given these aforementioned instances, the Verizon report makes for an eye-opening read. It reveals that just 11.2 percent of organisations passed all 12 PCI 2.0 requirements - up slightly from 7.2 percent the year before – and says that companies are on average compliant with 85.2 percent of controls. Over half (51.1 percent) passed over half of PCI requirements.
The report details the key areas where companies fall down; namely vulnerability scanning, pen testing and auditing of network resources (requirement 11) as well as a tendency to “opt for the cheapest, quickest and most superficial testing that will allow them to ‘check to box'." European companies seemed worse than most, with just 31.3 percent adhering to 80 percent of DSS 2.0 controls, compared to 56 percent in North America and 75 percent in Asia Pacific.
‘Card security can't be a once a year event'
Kim Haverblad, one of the co-authors of the report and Northern Europe Professional Services Manager for PCI Practise at Verizon Enterprise Solutions, told SCMagazineUK.com that improvements are being made – “at least PCI is pushing organisations in the right way” – but concurs with the study that the majority of organisations are going about implementation the wrong way, and often without C-level support.
“A lot of companies lack the proper support for integrating PCI. [They] need to look at this at a much high level, and it's clear that there must be support from C-level.”
Haverblad said that simplified terminology, among other things, had helped companies implement PCI compliance in the “proper way” more recently, but – despite version 3.0 being just 10 months away – claims that further improvements are unlikely so long as businesses approach PCI as a one-off project.
“It should be a continuous operation, not a one-off programme. It's an ongoing project – and it's the only way to survive. Otherwise, [businesses] often start to fall back into old habits and they then need to review the PCI compliance from scratch again.”
Tim Holman (pictured right), CEO of pen testing consultancy 2-sec and president of ISSA UK, went one step further suggesting that companies may never get PCI compliance right.
“There will always be a lack of business focus on PCI DSS Compliance – it's just the way businesses are run,” he told SCMagazineUK.com. “If you're lucky, you might get a company to focus on PCI DSS for a few months, just to get to an audit-ready state, and sometimes companies learn the hard way, get breached, and are forced to undergo an in-depth PCI DSS analysis.
“Business focus can also be gained by waving a very big stick, but to date, the non-compliance fines issued by the card schemes are peanuts to the larger merchants that can simply afford to absorb these costs – besides the fines are still cheaper than having to gain full PCI DSS Compliance.”
Bob Russo, general manager for the PCI Security Standards Council, and Dell SecureWorks' Gavin Weir agreed with Holman that this type of compliance often comes about on a sporadic basis. In an email exchange with SCMagazineUK.com, Russo urged firms to build PCI into “business as usual” practice - something which is likely be more achievable when version 3.0 goes live.
“These findings, coupled with recent breach incidents, highlight the need for businesses to build security into their ‘business as usual' practices, and the need for a layered approach to securing data - one that focuses on security not compliance,” said Russo.
“Card security can't be a once a year event, when a compliance assessment is due, but rather must be a daily occurrence. The changes introduced with the latest version of the PCI DSS and PA-DSS (version 3.0) focus on helping organisations do this better by adding increased flexibility in the requirements, and an emphasis on greater education and awareness.
“Ongoing deployment and maintenance of PCI Standards as business-as-usual is the best way to protect payment card data.
Weir, principal security consultant at Dell SecureWorks, added that too many PCI compliance cases are treated on an annual basis and by project teams that are soon disbanded.
“Project teams are formed but once compliant, the people disappear and everything goes back to business as usual.” He added that this was truer of first time re-assessments, but noted that this method was “still happening” with companies into the third or fourth PCI reassessment.
Verizon too revealed in the report that the PCI problems stem from poor sustainability by organisations.
“Our research also shows that the vast majority of organisations are still not sufficiently mature in their ability to implement and maintain a quality, sustainable PCI Security compliance programme, and they continue to struggle to provide the required compliance evidence at the time of the annual compliance validation assessment,” the report reads.
“There's significant variation across the individual requirements, controls, and sub-controls; as well as across industries and regions. Despite a decade of discussion, clarification, and education, there are fundamental disagreements and misunderstandings around critical areas of security and compliance, including how to define the scope of compliance itself, and how compliance is assessed.
“Some even regard the DSS, even in its latest 3.0 guise, as taking fundamentally the wrong approach to security.”
This is something which struck a cord with Forrester analyst Andrew Rose (pictured left), who believes that PCI compliance can get too hung up on ensuring minimum standards.
“Many times a breach is caused not by a failure to comply with the basic requirements of PCI, but more around a failure of imagination,” he told SCMagazineUK.com.
“The Target breach, for example; I'm sure that would have successfully breached the vast majority of PCI compliant firms. It's not that the standard is fundamentally flawed, as no formal standard can keep pace with technological change, it's that it's implementation is often too focussed on compliance, and achieving minimum standards of control to achieve compliance rather than seeking real control rigor.”
“If compliance is all the firm seeks, then 'compliant' is the best they can achieve. If, however, they seek to be secure, then compliance can be a by-product of that.”
QSA issues muddy the water
But aside from calls for continued assessment, C-level input and a need for greater education and integrating security as “business as usual”, there are also calls for greater clarity on the QSA side of things. QSAs – qualified security assessors - typically work with companies to ensure their PCI compliance is up to scratch.
2-Sec CEO Tim Holman, a QSA himself, admitted that QSA hands are tied when it comes to monitoring businesses.
“As a QSA, we can only assess a limited sample of business systems at a given point in time,” he told SCMagazineUK.com. We can't go back in time, or forward in time and comment on how a business was run, or how a business will be run, and if we do see a business has "fallen out" of compliance since we last paid a visit then the advice they get from the card schemes is to "make sure they are compliant moving forwards".
“Perhaps if companies were penalised for lapses in compliance then this wouldn't happen, but again, how does one enforce this? How can you make sure a company is in continual compliance without employing a team of QSAs full-time to sit there and hinder their business? You can't. You leave it in the hands of the business to manage their own compliance and the card schemes and banks trust that companies are doing so properly.”
Weir added that some companies often indulge in “QSA hopping”, a dangerous game as some compliance requirements can differ on interpretation.
“Sometimes choosing a QSA becomes a cost issue – choosing the cheapest – but this has not been born out in practise. QSAs can interpret things differently. There are 289 requirements and as many as 30 to 40 of those are subject to interpretation.”
Verizon's report also details that QSAs are unable to provide 100 percent validation because they're assessing a small selected sample -- which are often subject to interpretation.
Espion senior consultant John Hetherton, also a PCI QSA himself, urged QSA to “challenge the data” in order to stop firms from failing to maintain the PCI DSS standard on a continuous basis.
“The role of a PCI QSA is to challenge the data, look for evidence beyond the day of assessment that demonstrates all 12 requirements are adhered to all the time. In some cases, particularly in larger environments, auditors will recommend periodic health checks to ensure that compliance is being met throughout the year, thereby avoiding a shock come audit time. While PCI DSS must be achieved by organisations it is equally important to maintain it, a good assessor will advise, consult and promote getting it right.”
Verizon was keen to stress that moves are being made to improve DCI DSS compliance. Indeed, one finding from the study revealed that 60 percent of all companies had met requirement 10 - to track and monitor all access to network resources and cardholder data, up from 39.2 percent in 2012, while DCI DSS 3.0 is expected to herald better tracking of cardholder data, improved authentication and greater awareness of malware threats. The changes should also see stronger enforcement around penetration testing, and better password implementation too.
But reports like these illustrate that PCI DSS compliance is by no means straightforward - or easy.
*SC UK is holding a webinar on PCI security issues in May. Further details to be announced on the website, newswire and in the magazine.