Large numbers of firms still struggle to achieve full PCI DSS 2.0 compliance despite meeting almost all of its requirements, according to an analysis of real-world assessments carried out by Verizon.
Looking at an unspecified number of annual ‘baseline’ assessments (i.e. those carried out before improvements), the consultancy found that in 2013 only 11 percent of global customers had met all the demands set out by PCI DSS 2.0 at this stage, slightly up on the 7.5 percent figure for 2012.
Curiously, a total of 82 percent had passed on at least 80 percent of the required controls, a dramatic increase over the 32 percent reaching that level a year earlier. A further cut on the numbers showed that almost one in five organisations passed 95 percent of PCI’s demands.
On the basis of Verizon’s customers, compliance levels are clearly showing healthy improvements but with PCI DSS now having moved on to the more demanding version 3.0 and with data breaches still common, are things improving fast enough?
Looking into the underlying reasons for non-compliance, Verizon spotted a number of themes. Businesses are now quote good at protecting cardholder data – 58.4 percent met the grade here – and 91 percent were on top of the need to use updated antivirus software.
But more than three quarters failed to meet DSS requirement 11 that stipulates firms should regularly test security systems to make sure they actually work. They might comply, they might not, but they can’t know either way.
Meanwhile 62 percent of firms met requirement 8 covering the use of identity management and multi-factor authentication, but real world breaches (i.e. Target, which is believed to involved abuse of stolen credentials) suggest that this is woefully short of what is needed to secure systems properly.
According to the report’s primary author, Verizon’s director of operations at its PCI Security Practice, Ciske van Oosten, a major problem is simply that organisations implement controls but then forget to maintain them.
“Organisations have an abysmal record of testing security. They don’t test whether controls are working,” he said.
“It is not a failure of technology or of budgets. It is a lack of intelligent decision making.”
According to van Oosten, many data breaches could be prevented by implementing and testing controls such as two-factor authentication, an timely warning given the likelihood that hackers exploited precisely this weakness in recent attacks on US retailers.
Verizon also detected some interesting regional variations, which showed that 75 percent of Asian organisations met 80 percent of PCI DSS’s requirements, ahead of the US on 56 percent and Europe in last place on 31 percent.
Of course, Europe comprises a large number of countries that show wide variations in compliance levels (the Baltics are a particular problem for instance) while better-performing Asian firms are also more likely to have built their networks recently using updated systems. The US lies somewhere in between these poles but does, unlike some parts of Europe, have the advantage of a single regulatory and compliance regime.
Verizon recommends that PCI DSS be “embedded” inside firms affected by it while using it as a means of streamlining systems so that data is stored on as few systems as possible. PCI DSS is often seen as a threat but Verizon argues it can be a spur to change too.