Security Experts:

Challenges Remain in Upholding PCI Compliance: Report

Companies are getting better at complying with payment card industry security standards, but experts believe that is only half of the story.

The number of companies still fully compliant with the PCI standards during the interim report rose to 20 percent in 2014, according to the 2015 PCI Compliance Report released by Verizon this week. This is a tremendous improvement from the 11.1 percent in 2013 and mere 7.5 percent in 2012 that maintained compliance between assessments. While the upward trend is a positive sign, this means that 80 percent of companies are still struggling as they fall out of compliance during the year, Andi Baritchi, global managing principal of PCI Consulting Services at Verizon Enterprise Solutions, told SecurityWeek.

Organizations typically fall out of compliance if they don't have procedures in place to continuously monitor the environment and react when something changes, Baritchi said. Compliance should be treated as a snapshot as it just proves the sample of devices tested at that moment was doing everything right—not that everything is performing as it should at all times. Companies need a robust framework which regularly checks and tests the controls to increase the likelihood of being compliant every day of the year, he said.

PCI Compliance

It's still difficult for organizations to meet all 12 of PCI security standards, but 93.7 percent of the companies worldwide met most of them in 2014, compared to 85.2 percent in 2013.

"Anything less than 100 percent compliance is an issue for businesses today," Rodolphe Simonetti, managing director of the PCI practice for Verizon Enterprise Solutions, said in a statement accompanying the report. Non-compliance opens organizations to the risks of credit card theft, which can be expensive to remediate and result in brand damage.

The 12 PCI DSS requirements include maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining antivirus software, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems, and maintaining security policies. The report found that companies were doing better across the board meeting these requirements. Overall, compliance went up by an average of 18 percent for 11 out of 12 requirements.

Requirement 8, authenticating access, saw the biggest jump, with 69 percent of companies were compliant during the interim report in 2014, compared to 33 percent in 2013. Another improvement was with Requirement 7, restricting access, as 89 percent of companies successfully remained compliant between assessments. The figure was closer to 60 percent in 2013.

The ratio of companies compliant on Requirement 11, testing security systems, declined from 40 percent in 2013 to 33 percent in 2014. These are security 101 activities, such as checking what's in place, scanning regularly, and performing penetration tests. The fact that so many companies are struggling to remain in compliance on this requirement is very worrying, Baritchi said.

There was a substantial increase in compliance with Requirement 1 Control 1.1, which has to do with the documentation of firewall standards. About 75 percent of organizations were compliant in 2014, compared to 51 percent in 2013. The ones who weren't compliant were likely just listing all change tickets instead of documenting how the firewall feature was being used. The requirement's goal is to map and analyze the specific configurations of these devices and ensuring the firewall is working properly, Jody Brazil, CEO of FireMon, told SecurityWeek. Brazil noted the failure to do so means there is no real world improvement to security.

"As firewalls are easily one of the longest tenured elements of network security, if not the most, the fact that organizations are still struggling so greatly to affect proper management is pretty shocking," Brazil said. "If these systems cannot be properly managed, and as a result the current state of real-world network access remains unclear, how can anyone adequately protect their data from attackers, no matter what other tools or technologies that they may attempt to employ?"

PCI compliance will continue to be relevant going forward, even with the rise of contactless and mobile payments, as well as other payment technologies, the report found. Mobile payments include using mobile-based readers instead of traditional point-of-sale terminals, using the device's near-field communications chip to interact with the point-of-sale terminal (including Apple Pay), or apps that facilitate peer-to-peer transfers online.

"While we believe that the actual payments will still be handled through the existing card brands and banking systems, this appears to be a significant trend and the beginning of the end of the plastic card," the report said.

Payment applications developed for use on customer mobile devices are not currently subject to PCI PA-DSS requirements, they still need to comply with the secure application development controls in PCI DSS, the report warned.

In case anyone wants to dismiss the report because compliance doesn't equate with security, it turns out PCI DSS does help. Verizon researchers dug into its statistics about data breaches and found that breached organizations were 36 percent less likely to be compliant with a given requirement. The report found that 45 percent of breached organizations were not compliant on patch management and development security, and 72 percent were not compliant on areas including log management and monitoring. The report suggests if the organizations had been thinking about PCI compliance, it's possible some of the issues that led to the breach may have been uncovered sooner.

There is "some substantive evidence" that compliance can improve security management and breach prevention, Brazil said. In last year's Data Breach Investigation Report, Verizon's RISK team found that 73 percent of the organizations that suffered a data breach were not in compliance with Requirement 1 at the time. It makes sense that organizations documenting, tracking, and mapping all of the policies that they currently use would be in a better position to effectively defend their networks than those that merely collected lists of changes. Changes are constantly being made on the network, and related firewall controls are often overlooked, or mismanaged, resulting in unseen, overly permissive access.

"There's clearly a strong correlation that can be drawn between the ability to properly manage firewalls, and related policy changes, and prevention of network compromise resulting in a breach," Brazil said.

The 2015 PCI Compliance Report (PDF) looked at how thousands of retailers, hospitality companies, financial service firms and other organizations followed the standards established by the PCI Security Standards Council. Established by the PCI Security Standards Council, the PCI rules apply to retailers, hospitality companies, financial service firms, and pretty much any organization who accepts credit or debit cards. PCI standards are established by the industry, not by government, and are widely considered to be helpful in improving the organization's overall security.

"Many of those organizations that experienced a breach likely were PCI compliant at some point when they were audited," Brazil said. "Organizations that are faring better at compliance do seem to be better prepared to prevent costly breach incidents."

RelatedKnow What Hackers Know - HP Cyber Risk Report 2015

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.