Verizon have launched their 2011 Payment Industry Compliance Report which draws on their experiences as a QSA company and previous annual reports.
Extracts from the report are below.
Unchanged from last year, only 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC). Verizon commented with “This is interesting, since most were validated to be in compliance during their prior assessment”.
- Organizations met an average of 78% of all test procedures at the IROC stage
- 20% of organizations passed less than half of the DSS requirements
- 60 % scored above the 80 % mark
Organizations struggled most with the following PCI requirements:
- 3 (protect stored cardholder data)
- 10 (track and monitor access)
- 11 (regularly test systems and processes)
- 12 (maintain security policies).
The PCI Requirements showed the highest implementation levels were:
- 4 (encrypt transmissions over public networks)
- 5 (use and update anti-virus)
- 7 (restrict access to need-toknow)
- 9 (restrict physical access)
Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council even less so than in the previous year.
A mini-study comparing governance practices to the initial compliance score suggests that the way organizations approach compliance significantly factors into their success.
Once again, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients. Analysis of the top threat actions leading to the compromise of payment card data continues to exhibit strong coverage within scope of the PCI DSS. For most of them, multiple layers of relevant controls exist across the standard.
In the pool of assessments performed by Verizon QSAs included in this report
- 21% were found fully compliant at the completion of their IROC
- This is just 1% less than in their last report, and effectively the same number
The lack of change is a disappointing, as many in the industry were hoping to see an increase in overall compliance as the PCI DSS became more familiar to an increasing number of organizations.
79% of organizations were not sufficiently prepared for their initial assessment
Having established that only 21% “passed the test” the next question becomes “what was their score?”
- On average, organizations met 78% of all test procedures defined in the DSS at the time of their IROC.
- Down 3% from Verizon’s last report; but again, the difference is nominal.
Therefore, the baseline set by the PCI DSS must not reflect the baseline set by the companies themselves. For most organizations, to achieve compliance they must do things they were not previously doing (or maintaining).
Another common Achilles heel of merchants and service providers in the PCI assessment process is over confidence
“It was painful, but we made it through last year, so this year should be a breeze”
is a typical sentiment with which many organizations approach the yearly assessment. That can be a costly mistake. When the QSA arrives on-site, a mere 1/5th of businesses are found to be compliant, even when given the extra time between the on-site visit and completion of the IROC.
Complacency and fatigue are two additional drags that make maintaining compliance year over year difficult. Too many businesses approach PCI from the point of view that “what was good enough last year will be good enough this year.” But unless someone’s been babysitting a process, such as documenting and justifying all services allowed through the firewalls, things can easily be forgotten in the haste to get business done.
When examining the percentage of organizations passing each requirement at the IROC phase.
- Some requirements show percentages dipping below 40%, while others exceed the 70% range.
- Six of the twelve show an increase over last year, and the average is up two points.
- However, the average number of test procedures met within each requirement is down 4%.
- None of these numbers is indicative of a clear change given the size and makeup of the dataset, but it certainly reinforces the notion that
- organizations continue to struggle (at varying degrees) in all areas of the DSS.
How do organisations perform against the 12 Requirement? The four highest rated Requirements are:
- 4 (encrypt transmissions)
- 5 (AV software)
- 7 (logical access)
- 9 (physical access)
Requirement 10 (tracking and monitoring) boasted the highest gain+13 %
Requirement 5 (AV software) may lose its place in the top three, which is an odd development, since AV software has for so long been among the most basic and widespread of security controls.
Requirement 4 (encrypt transmissions) showed a marked improvement which may indicate that administrators are deciding it’s easier to direct all Internet traffic containing credit card data over SSL.
Requirement 7 (logical access) showed a slight improvement, which could mean more strict attention is being paid to who is given access to cardholder data.
Requirements 3 (stored data) and 11 (regular testing) are once again in the bottom tier, while Requirement 12 (security policies) ousted 10 (tracking and monitoring) from the bottom. This suggests that the encryption of data at rest continues to be a major headache for organizations, especially the more detailed portions, such as annual key rotations.
Requirement 11’s low showing reminds us why ‘set and forget is a very bad bet’ should be a core mantra of the security profession. The fact that security policies rank among the lowest of the low is not a good sign since policy drives practice.
Requirement 1 remains virtually unchanged since last year, at 44% compliance, compared to the 46% in the last report. Only 63% of companies met Requirement 1.1.5 regularly
Compliance is the continuous state of adhering to the regulatory standard. In the case of the PCI DSS there are daily (log review), weekly (file integrity monitoring), quarterly (vulnerability scanning), and annual (penetration testing) activities that an organization must perform in order to maintain this continuous state of compliance
The entire report can be found on the Verizon web site here.