A report released by the IP network operator and security consultancy Verizon this week reveals that none of the organisations where Verizon has investigated payment card data breaches in the past six years was fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).
Those organisations were also found to show lower compliance with 10 out of the 12 PCI DSS key requirements.
The report’s authors say this demonstrates the link between data security standard compliance and organisations’ ability to defend themselves against cyberattacks.
The major payment card brands have made implementation of PCI DSS mandatory for all entities that process, store or transmit cardholder data, but Visa also offers an alternative program called the Technology Innovation Program (TIP) that allows qualified merchants to discontinue the annual PCI DSS validation assessment.
Verizon is a qualified assessor of PCI DSS compliance and has conducted 15,000 security assessments since 2009, including for Fortune 500 companies. Its 2017 report is based on the assessments its conducted in 2016.
The good news, says Verizon, is that the total number of organizations it assessed last year that achieved PCI compliance at interim validation has increased to 55.4 percent, up from 48.4 percent in 2015.
But this means that nearly half of retailers, restaurants, hotels and other business that take card payments are still failing to maintain compliance from year to year.
“There is a clear link between PCI DSS compliance and an organization’s ability to defend itself against cyberattacks,” Verizon’s global managing director for security consulting, Rodolphe Simonetti, commented. “Whilst it is good to see PCI compliance increasing, the fact remains that over 40 percent of the global organizations we assessed – large and small – are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year — and many much sooner.”
According to the report the IT services industry achieved the highest full compliance of all key industry groups studied. Globally, about three fifths (61.3 percent) of IT services organizations achieved full compliance during interim validation in 2016, followed by 59.1 percent of financial services organizations (which includes insurance companies), retail (50 percent) and hospitality (42.9 percent).
The 2017 PSR also flags the compliance challenges faced by specific business sectors including:
- Retail: security testing, encrypted data transmissions and authentication.
- Hospitality and travel: security hardening, protecting data in transit and physical security.
- Financial Services: security procedures, secure configurations, protecting data in transit, vulnerability management and overall risk management.
Real life examples in the report highlight situations where compliance controls are not followed. For example – a financial services organisation seeking exemption from the Wi-Fi requirements of PCI DSS was surprised to learn that it did in fact have a wireless network operating in its building – this lack of knowledge causing it to fail. The IT admin had got tired of traipsing from the server room in the basement to the IT department on the third floor, and so had installed a router to access the servers from his desk.
When looking at the PCI controls that companies would be expected to have in place (such as security testing, penetration tests etc), the report found an increased ‘control gap,’ meaning that many of these basics were absent. In 2015, companies failing their interim assessment had an average of 12.4 percent of controls absent; this increased to 13 percent in 2016.
“It is no longer the question of ‘if’ data must be protected, but ‘how’ to achieve sustainable data protection,” Simonetti continued. “Many organisations still look at PCI DSS controls in isolation and don’t appreciate that they are inter-related – the concept of control lifecycle management is far too often absent. This is often the result of a shortage of skilled in-house professionals – however, in our experience, internal proficiency can be dramatically improved with lifecycle guidance from external experts.”
The 2017 PSR offers five key guidelines to assist with control lifecycle management:
- Consolidate for ease of management – Adding more security controls is not always the answer – the PCI DSS Standard already contains numerous interlinked data protection standards and regulations. Organisations should be able to use this to consolidate controls, making them easier to manage overall.
- Invest in developing expertise – Organisations should invest in their people to develop and maintain their knowledge of how to enhance, monitor and measure the effectiveness of controls in place.
- Apply a balanced approach – Companies need to maintain an internal control environment that is both robust and resilient if they want to avoid controls falling out of compliance.
- Automate everything possible – Applying data protection workflow and automation can be a huge asset in control management – but all automation also needs to be frequently audited.
- Design, operate, and manage the internal control environment – The performance of each control is inter-linked. If there is a problem at the top, this will impact the performance of the controls at the bottom. It is essential to understand this in order to achieve and maintain an effective and sustainable data protection program.
Troy Leach, chief technology officer for the PCI Security Standards Council commented: “The report highlights the challenges organisations have to consistently maintain security controls on an ongoing basis, leaving their cardholder data environments vulnerable to attack. This trend was a key driver for changes introduced in PCI Data Security Standard version 3.2., which focus on helping organisations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process.”
Similar to Verizon’s Data Breach Investigations Report series, the 2017 PSR is based on actual casework with a specific focus on financial services (47.5 percent); IT services (22.3 percent), hospitality (15.1 percent) and retail (14.4 percent). Geographies include the Americas (42.4 percent), Europe (28.1 percent) and the Asia-Pacific region (29.5 percent).