PCI DSS Compliance is Improving, But Not Yet Good Enough

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that companies must meet if they are to process cardholder data. Conformance with that standard is assessed on a yearly basis by qualified external assessors. Verizon is one of the world's major PCI DSS assessment firms, having performed nearly 4000 annual assessments for more than 500 different companies over the last three years.

Each year Verizon compiles a report analyzing the degree of conformance achieved by its customers (which it describes as "mainly large multinationals with complex, multi-site environments"). These reports consequently analyze DSS compliance only among companies that are specifically seeking assessment from perhaps the world's leading PCI DSS assessment company. It does not indicate DSS conformance in the overall marketplace.

Nevertheless, it is a valuable indicator of changing attitudes towards compliance. What this third annual assessment demonstrates is that companies are improving their security stance (as demonstrated by their degree of conformance), but that much is still to be done. For example, more than 82% of the companies assessed are now compliant with at least 80% of the standard (which contains 12 separate security 'requirements'). This compares to just 32% that achieved that level in 2012.

On the surface, this seems to contradict reality. The last few months have seen some of the biggest breaches in retail history (Target, Neiman Marcus, Michaels, etcetera – all companies that should be compliant with DSS); and it is tempting to suggest that if improved compliance improves security, there would be fewer not more breaches. 

The report suggests, however, that payment card data breaches are not a failure of security technology or of compliance with DSS, but rather a failure to implement appropriate compliance and security measures, as intended. One reason, says Rodolphe Simonetti, managing director of Verizon's PCI practice, is that many organizations view "PCI compliance as a single annual event, unaware that compliance needs to have a 365 day-a-year focus." As a result, some firms tighten their security for the assessment, but let it slip afterwards – and that is when they are most likely to be breached.

Ciske van Oosten, lead author of the report and director of operations for the PCI practice, has an alternative view. Talking to Infosecurity, he noted that cyber attacks against the retail sector are continuously increasing. Of those attacks, he said, "we only hear about the successful attacks. We do not hear about all of the attacks that are prevented by the security implemented through conformance to PCI DSS. If there were attack disclosure requirements just as there are breach disclosure requirements," he continued, "we would probably see conformance to PCI DSS as the success it really is."

The Verizon report analyzes individual conformance to each of the twelve separate security requirements specified by the DSS. It finds that requirement 5 (protect systems from malware and keep anti-virus software up to date) is the best achieved (an average of 95.9% of the controls) with requirement 9 (restrict physical access to cardholder data) coming second (94.9% of the controls). The least achieved is requirement 3 (protect stored cardholder data, where companies were compliant with an average of 79.3% of the controls.

The report also highlights that there are regional differences in achieving compliance. 75% of companies in the Asia Pacific region achieved at least 80% overall compliance, 65% in the US, but only 31% in Europe. The reasons for this difference are complex. Van Oosten suggested that it might be a combination of both cultural and legal pressures. In the Asia Pacific region, conformance is a matter of pride. In the US, conformance is a business benefit – a marketing opportunity. In Europe, however, companies take a more pragmatic view. Since sanctions for non-compliance have been relatively low in comparison to the cost of compliance, all too often companies decide not to make the effort.

But, says Simonetti, “Anything less than 100 percent compliance is an issue for businesses today. We have seen time and time again that noncompliance leaves an organization open to credit card theft, which can potentially cost hundreds of millions of dollars when you factor in all the damages, not to mention lost consumer trust and the impact on brand reputation. Organizations need to rethink how they factor in maintaining a PCI-compliant environment, whether it’s devoting more resources or working with a managed security services provider.”

What’s hot on Infosecurity Magazine?