Endpoint

Verizon Report: Businesses Hit with Payment Card Breaches Not Fully PCI-Compliant

Companies struggle to maintain PCI compliance within a year of meeting it, according to a new payment security report by Verizon.

The number of businesses achieving full compliance with their annual Payment Card Industry Data Security Standard (PCI DSS) review reached a record 55.4% last year, but nearly half of companies fall out of compliance within a year, according to the Verizon 2017 Payment Security Report released today.

Even more telling: in all of the nearly 300 payment card data breaches that Verizon investigated in 2010 to 2016, the businesses hit were not fully PCI DSS-compliant at the time of their breach.

"There has been a year-over-year increase in the number of companies that are able to meet the first initial interim validation [first attempt] and that's great news. But is that good enough?" says Ron Tosto, global manager of the Verizon PCI Advise and Assessment Services. "We know that a number of these companies are not able to stay in compliance and only make it to the nine-month mark."

[Source: Verizon 2017 Payment Security Report]

Nearly half of companies reviewed by Verizon's qualified security assessors last year failed to reach full compliance in the initial review.

PCI DSS is comprised of 12 security requirements that businesses are expected to comply with if they accept, process, or store payment card information. And within each of these requirements, there are specific security actions that need to be performed, otherwise known as controls, to remain in compliance. There are over 200 controls in total, and PCI DSS regularly revises them, potentially making it difficult to remain compliant.

Although there are no federal laws that require companies to comply with PCI DSS, banks and the payment card brands such as, Visa, Mastercard, American Express, and Discover, as well as some states, enforce the requirements and will levy fines and penalties for non-compliance. The Payment Card Industry Security Standards Council (PCI SSC), meanwhile, is responsible for managing the standards.

Degree of Difficulty

The report found that nearly half of the companies that pass compliance will fall out of it within a year or sooner. Companies have 60 days from their initial review to become compliant. Once that is achieved, they receive a final PCI DSS compliance report, which must be revaluated again 12 months later.

"Compliance is incredibly challenging because you never fully arrive. It's a process that must be managed day in and day out. It requires that everyone in the organization own their part in security, which integrates with how they get their job done." says Dawn Koenninger, a vice president at SOLE Financial, which manages a payroll card program and is currently PCI DSS compliant. "Not easy to do when you're in high growth mode. You must have buy-in at all levels, but most importantly from the top." 

The security testing requirement in PCI DSS continues to top the list of requirements that are difficult to comply with. Only 71.9% of companies are able to fully comply with this requirement when initially evaluated, Verizon found. This requirement calls for vulnerability scanning, penetration testing, use of intrusion detection, and file integrity monitoring.

"To be effective, testing has to be on a routine basis and follow any major change to an operating environment. Following the companies have to understand the findings, remediate the issues, then retest the environment," Tosto says. "Common mistakes include missing periodic testing, taking action to correct security issues found documented in the test report, and not validating the security issue correction with a retest."

Some companies don't fully grasp the differences between the types of testing within Requirement 11 of the PCI DSS, he notes. He recommends companies fully understand testing and develop testing control effectiveness using the Pin Security Requirements (PSR) as a guide.  

PCI DSS's requirement #6 - develop and maintain secure systems - and requirement #12, maintain a policy that addresses information security for all personnel, ranked among the second most difficult to achieve full compliance, with each only garnering success among 77.7% of the companies initially evaluated.

Companies that failed their initial compliance review last year were also missing more controls than in the previous year, the report found. Companies were missing an average of 13% of the controls overall last year, whereas the previous year it was 12.4%.

Source of the Pain

Meeting PCI DSS requirements is like training to be a long-distance runner, Tosto says:  "A runner doesn't show up to run on day one, they practice," he says.

But he notes there are common challenges companies face to make those "practice" sessions happen. A shortage of IT security workers, an insufficient security budget, and an absence of a process to keep the maintenance of the requirement controls in place, are the three main contributors that make it challenging for companies to meet and maintain PCI DSS compliance, Tosto says.

Troy Leach, chief technology officer of the PCI Security Standards Council, agrees those three challenges can trip up a company in their compliance efforts, especially the one when it comes to developing a maintainable process.

When the person heading up a business' PCI compliance process leaves the company, for example, that can disrupt compliance, he says, as can a merger. A documented process should be put in place, he notes.

"Your people and technology may change, but if the process remains the same, it will not have as great of an impact," Leach says.

Avivah Litan, a Gartner analyst, says budget and funding to fulfill the PCI DSS requirements weigh heavy on the minds of CISOs. "When I talk to CISOs in the hotel and restaurant industries, they are frustrated they can't get the CEO's support," Litan says. "They [CEOs] say, 'why fund it when we haven't had a breach?'"

Verizon's report shows that IT services achieved the highest level of compliance, with 61.3% hitting the mark during evaluation process, followed by financial services, 59.1%; and retail, 50%. Less than 43% of the hospitality industry, which includes hotels, was compliant.

Litan says PCI DSS compliance should fall on the payment card brands and banks - not on merchants. "The standards are unrealistic for merchants to meet because this is not their business and core competency," she says. "It should fall on the banks to develop a secure system."

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
menuisier69
50%
50%
menuisier69,
User Rank: Apprentice
9/6/2017 | 5:13:13 AM
Re: pci compliance
who trust in payment card anymore ?
xanthan99
50%
50%
xanthan99,
User Rank: Strategist
9/5/2017 | 10:30:03 AM
...a journey not a destination
Boss: You're telling me if we're PCI-DSS compliant we can get a better processing rate from the bank?

Security Professional: Yes, but we need to remain compliant year over year.

Boss: Ah yeah, but our sales margin will improve?

Security Professional: Yes, but we have to dedicate an ongoing level of effort to staying compliant!

Boss: Yeah, yeah but it will improve profitability!

Security Professional: But there is a tech cost.

Boss: Cost? of course, we'll buy you guys a new high-end coffee maker!

 
pdantini06901
50%
50%
pdantini06901,
User Rank: Apprentice
9/2/2017 | 11:42:02 PM
pci compliance
The responsibility of maintaining a secure credit card processing environment must rest with credit card processing companies.  A small business can secure their network and data with a certain set of clear rules but the rules as written would be a challange for a security Specialist to implement in a small business environment with a small budget.  The point of paying a discount fee and processing fees for a small business is to insure that the majority of the risk is assumed by the credit card processor.  If the current environment continues I see a time where other forms of payment will be preferred by small business and the majority processors left wondering what occured to their volume/business.  

 

How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.