Endpoint

8/31/2017
12:20 PM
50%
50%

Verizon Report: Businesses Hit with Payment Card Breaches Not Fully PCI-Compliant

Companies struggle to maintain PCI compliance within a year of meeting it, according to a new payment security report by Verizon.

The number of businesses achieving full compliance with their annual Payment Card Industry Data Security Standard (PCI DSS) review reached a record 55.4% last year, but nearly half of companies fall out of compliance within a year, according to the Verizon 2017 Payment Security Report released today.

Even more telling: in all of the nearly 300 payment card data breaches that Verizon investigated in 2010 to 2016, the businesses hit were not fully PCI DSS-compliant at the time of their breach.

"There has been a year-over-year increase in the number of companies that are able to meet the first initial interim validation [first attempt] and that's great news. But is that good enough?" says Ron Tosto, global manager of the Verizon PCI Advise and Assessment Services. "We know that a number of these companies are not able to stay in compliance and only make it to the nine-month mark."

[Source: Verizon 2017 Payment Security Report]

Nearly half of companies reviewed by Verizon's qualified security assessors last year failed to reach full compliance in the initial review.

PCI DSS is comprised of 12 security requirements that businesses are expected to comply with if they accept, process, or store payment card information. And within each of these requirements, there are specific security actions that need to be performed, otherwise known as controls, to remain in compliance. There are over 200 controls in total, and PCI DSS regularly revises them, potentially making it difficult to remain compliant.

Although there are no federal laws that require companies to comply with PCI DSS, banks and the payment card brands such as, Visa, Mastercard, American Express, and Discover, as well as some states, enforce the requirements and will levy fines and penalties for non-compliance. The Payment Card Industry Security Standards Council (PCI SSC), meanwhile, is responsible for managing the standards.

Degree of Difficulty

The report found that nearly half of the companies that pass compliance will fall out of it within a year or sooner. Companies have 60 days from their initial review to become compliant. Once that is achieved, they receive a final PCI DSS compliance report, which must be revaluated again 12 months later.

"Compliance is incredibly challenging because you never fully arrive. It's a process that must be managed day in and day out. It requires that everyone in the organization own their part in security, which integrates with how they get their job done." says Dawn Koenninger, a vice president at SOLE Financial, which manages a payroll card program and is currently PCI DSS compliant. "Not easy to do when you're in high growth mode. You must have buy-in at all levels, but most importantly from the top." 

The security testing requirement in PCI DSS continues to top the list of requirements that are difficult to comply with. Only 71.9% of companies are able to fully comply with this requirement when initially evaluated, Verizon found. This requirement calls for vulnerability scanning, penetration testing, use of intrusion detection, and file integrity monitoring.

"To be effective, testing has to be on a routine basis and follow any major change to an operating environment. Following the companies have to understand the findings, remediate the issues, then retest the environment," Tosto says. "Common mistakes include missing periodic testing, taking action to correct security issues found documented in the test report, and not validating the security issue correction with a retest."

Some companies don't fully grasp the differences between the types of testing within Requirement 11 of the PCI DSS, he notes. He recommends companies fully understand testing and develop testing control effectiveness using the Pin Security Requirements (PSR) as a guide.  

PCI DSS's requirement #6 - develop and maintain secure systems - and requirement #12, maintain a policy that addresses information security for all personnel, ranked among the second most difficult to achieve full compliance, with each only garnering success among 77.7% of the companies initially evaluated.

Companies that failed their initial compliance review last year were also missing more controls than in the previous year, the report found. Companies were missing an average of 13% of the controls overall last year, whereas the previous year it was 12.4%.

Source of the Pain

Meeting PCI DSS requirements is like training to be a long-distance runner, Tosto says:  "A runner doesn't show up to run on day one, they practice," he says.

But he notes there are common challenges companies face to make those "practice" sessions happen. A shortage of IT security workers, an insufficient security budget, and an absence of a process to keep the maintenance of the requirement controls in place, are the three main contributors that make it challenging for companies to meet and maintain PCI DSS compliance, Tosto says.

Troy Leach, chief technology officer of the PCI Security Standards Council, agrees those three challenges can trip up a company in their compliance efforts, especially the one when it comes to developing a maintainable process.

When the person heading up a business' PCI compliance process leaves the company, for example, that can disrupt compliance, he says, as can a merger. A documented process should be put in place, he notes.

"Your people and technology may change, but if the process remains the same, it will not have as great of an impact," Leach says.

Avivah Litan, a Gartner analyst, says budget and funding to fulfill the PCI DSS requirements weigh heavy on the minds of CISOs. "When I talk to CISOs in the hotel and restaurant industries, they are frustrated they can't get the CEO's support," Litan says. "They [CEOs] say, 'why fund it when we haven't had a breach?'"

Verizon's report shows that IT services achieved the highest level of compliance, with 61.3% hitting the mark during evaluation process, followed by financial services, 59.1%; and retail, 50%. Less than 43% of the hospitality industry, which includes hotels, was compliant.

Litan says PCI DSS compliance should fall on the payment card brands and banks - not on merchants. "The standards are unrealistic for merchants to meet because this is not their business and core competency," she says. "It should fall on the banks to develop a secure system."

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
menuisier69
50%
50%
menuisier69,
User Rank: Apprentice
9/6/2017 | 5:13:13 AM
Re: pci compliance
who trust in payment card anymore ?
xanthan99
50%
50%
xanthan99,
User Rank: Strategist
9/5/2017 | 10:30:03 AM
...a journey not a destination
Boss: You're telling me if we're PCI-DSS compliant we can get a better processing rate from the bank?

Security Professional: Yes, but we need to remain compliant year over year.

Boss: Ah yeah, but our sales margin will improve?

Security Professional: Yes, but we have to dedicate an ongoing level of effort to staying compliant!

Boss: Yeah, yeah but it will improve profitability!

Security Professional: But there is a tech cost.

Boss: Cost? of course, we'll buy you guys a new high-end coffee maker!

 
pdantini06901
50%
50%
pdantini06901,
User Rank: Apprentice
9/2/2017 | 11:42:02 PM
pci compliance
The responsibility of maintaining a secure credit card processing environment must rest with credit card processing companies.  A small business can secure their network and data with a certain set of clear rules but the rules as written would be a challange for a security Specialist to implement in a small business environment with a small budget.  The point of paying a discount fee and processing fees for a small business is to insure that the majority of the risk is assumed by the credit card processor.  If the current environment continues I see a time where other forms of payment will be preferred by small business and the majority processors left wondering what occured to their volume/business.  

 

12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.