For nine years, Verizon has released its annual Payment Security Report about the state of Payment Card Industry Data Security Standard (PCI DSS) compliance. For nine years, the pattern has remained the same: Many companies don't comply with the standard, and many companies that do comply fall out of compliance not long after their audit. IT organizations don't struggle with PCI DSS compliance due to a lack of knowledge or technology; the problem is proficiency.
"Proficiency is the main theme," says Ciske van Oosten, lead author of the report since 2013 and senior manager of global intelligence for security assurance consulting at Verizon Enterprise Solutions. "With 10 years of data breach investigation reports, you start to recognize patterns."
"It's not a knowledge problem," van Oosten adds. "There's an abundance of knowledge out there. People are almost inundated with it. It's not really technology failure. It is really proficiency: that level of confidence, skills and experience."
The state of PCI DSS compliance
In the 2017 report, released earlier this year, Verizon found that overall compliance has increased among global businesses — 55.4 percent of organizations Verizon assessed passed their interim assessment in 2016, up from 48.4 percent in 2015. But that means nearly half of retailers, restaurants, hotels and other businesses that take card payments are failing to maintain compliance from year to year.
"There is a clear link between PCI DSS compliance and an organization's ability to defend itself against cyberattacks," says Rodolphe Simonetti, global managing director for security consulting at Verizon. "Whilst it is good to see PCI compliance increasing, the fact remains that over 40 percent of the global organizations we assessed — large and small — are still not meeting PCI DSS compliance. Of those that pass validation, nearly half fall out of compliance with a year — and many much sooner."
PCI DSS compliance varies from industry to industry. The report found the IT services industry maintains the highest full compliance of all key industry groups studied, with 61.3 percent globally achieving full compliance during interim validation in 2016. The financial services industry (which includes insurance companies) was once at the bottom, but in 2016 it took second place with 59.1 percent of organizations achieving full compliance during interim validation. Retail came in at 50 percent and hospitality at 42.9 percent.
The various business sectors struggled with different controls:
- Retail: Security testing, encrypted data transmissions, and authentication
- Hospitality and travel: Security hardening, protecting data in transit, and physical security
- Financial services: Security procedures, secure configurations, protecting data in transit, vulnerability management, and overall risk management
van Oosten points to a financial services organization that failed. It was seeking an exemption from the Wi-Fi requirements of PCI DSS, only to discover that it already had a wireless network operating in its building. Why? An IT admin had gotten tired of having to go between the server room in the basement and the IT department on the third floor whenever changes were required, and so installed a router to access the servers from his desk.
Strong compliance practices, strong security
van Oosten notes that of the nearly 300 payment card data breaches Verizon has investigated between 2010 and 2016, not one was fully compliant at the time of the breach. Some of those organizations did achieve compliance at one point, but they didn't maintain it, often because they treat compliance as a goal to be achieved rather than a process.
It's not that PCI DSS compliance makes you secure, van Oosten explains. Compliance just means there was no evidence of non-compliance found during the one or two weeks of the assessment period. But organizations that make control sustainability and resilience part of their larger security program do fare better, van Oosten says.
For example, consider an organization with a well-segmented network. It keeps cardholder data separate from other types of data, and the cardholder data can only be accessed on a "need-to-know" basis. That's a strong and basic security practice. But say the environment changes: the company adds a new branch, installs a new Wi-Fi router, or replaces a business partner. An organization that treats compliance as a goal to be achieved will wait until an external assessor points out the problem prior to its next audit to fix the problem. On the other hand, an organization that treats PCI DSS compliance as a process will go back to ensure the segmentation remains intact after the environment changes.
"There's a difference between control effectiveness and control correctness," van Oosten says. "It's basic resilience and robustness. Changes are inevitable. Your controls will fail. You need to have that resilience."
Sustainable data protection
When looking at the PCI controls that companies would be expected to have in place (security testing, penetration tests, etc.), the report found that many of these basics were absent, and the problem is getting worse. In 2015, companies that failed their interim assessment had an average of 12.4 percent of controls absent. That increased to 13 percent in 2016.
"It is no longer the question of 'if' data must be protected, but 'how' to achieve sustainable data protection," Simonetti says. "Many organizations still look at PCI DSS controls in isolation and don't appreciate that they are inter-related — the concept of control lifecycle management is far too often absent. This is often the result of a shortage of skilled in-house professionals — however, in our experience, internal proficiency can be dramatically improved with lifecycle guidance from external experts."
van Oosten says five key guidelines can help you establish strong control lifecycle management:
- Consolidate for ease of management. Adding more security controls is not always the answer — the PCI DSS standard already contains numerous interlinked data protection standards and regulations. Use this to consolidate controls, making them easier to manage.
- Invest in developing expertise. Invest in people to develop and maintain knowledge of how to enhance, monitor, and measure the effectiveness of controls in place.
- Apply a balanced approach. Maintain an internal control environment that is both robust and resilient to avoid controls falling out of compliance.
- Automate everything possible. Apply data protection workflow and automation and ensure that automation is frequently audited. Reduce your reliance on controls that require human intervention.
- Design, operate, and manage the internal control environment. The performance of your controls is inter-linked. If there is a problem at the top, it will impact the performance of controls at the bottom. Understand the linkages to achieve and maintain an effective and sustainable data protection program.