Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/12/2015
07:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

7 In 10 Businesses Struggle To Sustain PCI Compliance

Maintaining PCI compliance is a bigger challenge that achieving it for many companies, Verizon study finds.

For many companies, maintaining compliance with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) appears to be more challenging than actually achieving it.

A new survey by Verizon on the state of PCI compliance among organizations that handle debit and credit card data shows that more companies than ever are achieving some form of compliance with the requirements of the standard.

Verizon reviewed (registration required) quantitative data from PCI assessments that it conducted over the last two years at customer locations and from data breach investigations it conducted for clients over the same period. The data showed that between 2013 and 2014, compliance rates went up substantially for 11- out of 12 major PCI requirements among companies required to meet the standard. The only area where compliance rates fell during the same period pertained to security testing. About 20 percent of the companies reviewed were fully compliant with all PCI requirements at interim assessment, compared to just over 11 percent in 2013 and barely 7.5 percent in 2012.

Despite such progress, 7 out of 10 companies that achieve PCI compliance fail to maintain that status even for a year. Verizon’s research showed that only 28.6 percent of companies managed to remain compliant for the full year between annual assessments.

A lot of that has to do with the continued failure by companies to implement robust measures for managing and maintaining compliance, once they have achieved it, says Andi Baritchi, global managing principal at Verizon and one of the authors of the report.

It’s common for organizations to conflate validation and compliance, Baritchi says. "Compliance means doing all of the things that PCI says you need to do during the year,” he said. “The assessment is merely a snapshot in time. It validates that Company X is compliant,” based on a specific assessment at a specific point in time.

Companies that suffer data breaches are often quick to note that they had been validated for compliance within the past year. But that doesn’t mean that they were in fact compliant at the time of the breach, Baritchi said. In fact, data from the past 10 years shows, that not a single company that suffered a data breach was compliant with PCI requirements at the time of the incident, he said.

“This leads us to the question: has compliance become too complex, preventing organizations from looking at the 'big picture'?” says Dave Oder, CEO of Shift4 Corp. “Organizations that focus on compliance, and jump through all of PCI¹s hoops, may achieve compliance for a moment in time."

But it is only organizations that are looking to be secure at all times that will find compliance easier to achieve and maintain, he says.

The 84-page Verizon report highlights the multiple factors that impact an organization’s ability to maintain compliance on a sustained basis. From a technical standpoint, the complexity of systems in an IT environment, the architectural design, the physical location of systems and the manner in which they are interconnected, can impact the level of investment and effort needed to maintain compliance, the report noted.

Similarly, an organization’s ability to sustain compliance at an operational level depends on factors like the proficiency of its IT organization and the culture of the organization regarding adherence to policies. The degree to which strategic, business, and data protection objectives are aligned can also impact compliance sustainability in a big way, Verizon said in its report.

“It is not uncommon for executives to make strategic business decisions (like changes to sales channels and mergers) without considering the potential impact on information security and compliance, and how that might affect the business case,” the report said.

The PCI Security Standards Council, which administers the standard, has somewhat controversially insisted for some time that organizations who implement and maintain compliance with all of PCIs requirements will not get breached. It has noted, like Verizon does in its report, how every single company that has suffered a payment card data breach was also not PCI-compliant.

In a statement responding to the Verizon report, the PCI Council’s general manager Stephen Orfei reiterated those sentiments. “Often an organization’s approach to PCI security is to focus on passing the annual compliance assessment,” he said. But this only the start, he noted.

“Only a combination of people, process and technology, and a focus on making security a ‘business-as-usual’ practice will help thwart [security threats],” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
3/13/2015 | 11:07:51 AM
The PCI Farce
If a compliance program is so complex and ineffable that it can only be validated at the precise moment of observation, isn't the notion of compliance certification essentially a farce? Unless you're going to compell organizations to pay for constant third-party assessments to ensure compliance, what's the point of the program?
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...