One of the scariest stats that we have read recently is the following:

“Of all the companies investigated by our forensics team over the last 10 years following a breach, not one was found to have been fully PCI DSS compliant at the time of the breach.”

verizon_interim_vs_postbreach

The above graph shows how companies approached their PCI Compliance in 2014 and it puts an accent on their behaviour by trying to compare their “at interim assessment processes" against their reaction to data breaches. The chart indicates how most of PCI DSS requirements register a lower level of compliance after the security breaches.

This information is revealed in the PCI Compliance Report 2015 that was recently published by the security experts team at Verizon, the U.S. broadband and telecommunications giant that produces an annual report about the PCI data security standard.

What are the main takeaways from this report?

We can sum up the content of this report by looking at the main takeaways just as they are mentioned in the report itself.

Compliance is up
11 of the 12 requirements of PCI DSS Compliance experienced an increase of 18% between 2013 and 2014. Requirement 8 (Identify and authenticate access to system components) is the one that has shown the biggest growth - from 33% to 69% - while requirement 11 (Regularly test security systems and processes) is the only one that dropped (just a few percentage points, from 40% to 33%).

Sustainability is low
In 2014, less than a year after previously achieving validation from Verizon, only the 28.6% of companies were still found to be fully PCI DSS compliant. This is due to the absence of robust procedures in place for achieving and maintaining compliance; furthermore a compliance assessment demonstrates the achievement of compliance at a particular moment in time. Companies should build their own framework with security policies, procedures, and testing mechanisms, with the intention to increase the chance of being PCI compliant continually.

Data Security is still inadequate
The current security measures are not able to stop attackers and in most cases they are even unable to slow them down. PCI DSS is a baseline, and should not be seen as a self living standard sufficient to be secure, but as part of an information security risk-management strategy. Companies can spot important weaknesses and gaps thanks to a PCI Compliance and fix them, but this won’t give them a 100% guarantee of protection to their customer’s data.

But, what does it mean to be PCI Compliant?

“Actually being PCI DSS compliant means achieving and maintaining all the PCI DSS controls throughout the year.”

This means that a company that describes itself as “PCI Compliant” has gone through a validation process, but it might still not be compliant. That’s because either the PCI DSS validation assessment didn’t identify all of the non-compliant areas, or because that particular company doesn’t perform compliance scans on a regular basis.

Therefore, we may say that the term “secure” could be compared to the Chimera in Greek mythology, a metaphorical expression that we could use for a wildly imaginative situation. In the case of security, the delusional aspect is that it’s almost impossible to achieve it. Only those company that invest in having a complete knowledge and immediate answers to all threats, would be able to define themselves as secure.

Customers trust companies when they complete a purchase. You are requested to provide the service or products that you promise, but also to keep their credit card and personal details safe.

Companies have to look into the sustainability of security controls and ongoing risk management.

How can an entity be secured when a new attack is coming from hackers?

One of the main statements that we find in this report, is that for a company a scope-reduction strategy is the most important premise for a good approach to compliance. The complexity of systems and processes in place for storing, processing, transmitting and accessing CHD (CardHolder Data) and their understanding, is the key to defining and cutting the scope to achieve and maintain compliance.

”Cutting the DSS scope will result in lower total cost of ownership, make maintenance of security controls easier, and reduce risk by limiting the attack surface”.

Achieving and monitoring compliance has a huge impact on the costs of organizations; those costs are growing year after year, as described by the chart below, and the only way to reduce them is to have a solid PCI Compliance management strategy in place.

costs of pci compliance

Some lessons to learn after a year of payment breaches.

Keep these point in mind for the future:

  • When it comes to logging, monitoring, patching and maintaining key systems, companies that are slow in logging and monitoring are unable to track breaches quickly enough and give attackers more chances to damage their infrastructure.
  • It’s important to set up a strong and consistent security governance. PCI DSS 3.0 pushes security as a business-as-usual practice and this approach is most likely to widen in the coming years.
  • Most security professionals are familiar with the idea of controlling least-privilege access but breached companies were bad at authenticating access. Complexity in this field is growing along with the consequent administrative challenges of adhering to it in practice.
  • Firewalls are the first line of defense for a company. They effectively work only if architected, tuned, and maintained properly. 71% of Verizon’s QSA clients met all of the controls associated with maintaining firewalls and just 27% of breached organizations did. Ineffective perimeter security is a key contributor to the likelihood of suffering a breach.
  • When it comes to malware we see that 80% of QSA clients maintained all the controls in this area, whilst just 36% in the group of breached entities did. Organizations should use more sophisticated technologies - to support anti-virus - that include proactive behavior detection, sandboxing, whitelisting, application control, cloud-enabled threat intelligence, heuristics, and reputation analysis.
  • The task of protecting stored cardholder data shows another gap between QSA groups (with 62% of companies compliant) and those that have been breached with just 36% compliancy achieved. As more organizations shift to encryption, tokenization, and/or not storing CHD at all, it is expected to see this requirement converging in the years to come.
  • The security testing is the area with worse results. Both groups, QSA and breached organizations, failed with 33% and 9% of them (respectively) passing the assessment. Each group should improve the security of their systems by testing them more accurately.

Achieve and maintain PCI DSS Compliance!

Did you experience a data breach in 2014? Do you know that the PCI DSS 3.1 is going to be out soon? Advantio is a PCI Compliance Qualified Assessor able to analyze your system and find out what you need to do to achieve compliance and maintain it continually. To find out how, contact us.

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.