Highlights from the Verizon 2014 PCI Compliance Report

Verizon has published its 2014 PCI Compliance Report, which can be downloaded from here. Like their Data Breach Investigation Report (DBIR) it is an excellent piece of research and provides insight into the challenges associated with complying with the Payment Card Industry’s Data Security Standard (PCI DSS) v2.0.

These are some of my favourite quotes from the report with my take on the issues they raise:

“Organizations that are breached tend to be less compliant with PCI DSS than the average of organizations in our research.” – This is interesting as it provides evidence that the PCI DSS can be effective at protecting against a cardholder data breach. However, the rest of the report clearly demonstrates that the PCI DSS is only effective if organisations strive to meet the intent of the standard and do not merely treat compliance as a box checking exercise.

“….the vast majority of organizations are still not sufficiently mature in their ability to implement and maintain a quality, sustainable PCI Security compliance program….” – This point is highlighted throughout the report. The reality is that compliance based security initiatives tend to cause organisations to scramble to collect and provide evidence that they are in fact compliant (in PCI DSS case this assessment is performed on an annual basis) rather than to provide ongoing assurance that the required controls are maintained and continue to be effective at securing the information they have been implemented to protect.

“….only around one in ten organizations were fully compliant with PCI DSS 2.0 at the time of their baseline assessment….” – That is a shockingly low compliance rate. It would be really interesting to know what is the average period of time between the baseline assessment and the organisations addressing all (or indeed any) of the deficiencies identified in the QSA’s report.

“Patch management and associated vulnerability management processes represent the biggest problem areas, because they’re rarely well documented and automated.” – Really? This is one of those issues that really should have been eradicated in the late 90s! It seems incredible to me that so many organisations still do not have effective patch and vulnerability management processes.

“Requirement 11 was the least complied-with requirement in our study.” – Again this seems absurd, as Requirement 11: Regularly Test Security Systems And Processes requires organisations to test the effectiveness of the controls and processes that that they have implemented to achieve compliance with the PCI DSS. Any organisation that fails to assess the effectiveness of the controls that have been implemented to address the requirements has just wasted their time, effort and money.

“Often our QSAs are given a penetration-testing report only to find that the organization hasn’t even read it.” – What? Why would any organisation commission a penetration test and then not bother to review and address the findings? In my experience this is characteristic of compliance driven security initiatives, as the focus is usually on achieving compliance rather than managing information security risks. This viewpoint is supported by the next quote.

“Organizations that are looking simply to comply are incentivized to opt for the cheapest, quickest and most superficial testing that will allow them to “check the box”.” – This is one of the main problems with compliance based security. Organisations are incentivised to do the minimum required to demonstrate compliance with the standard rather than ensuring that their information security risks are effectively managed.

If your organisation stores, processes or transmits cardholder data I strongly recommend downloading and reading the report. In addition to its analysis Verizon also presents five ways in which organisations that have to comply with the PCI DSS can improve their compliance programme. Although there are many gems of information in this section my two personal favourites are:

“Instead of seeing PANs and other card data as just fields in a database, every employee should be taught to see them as valuable corporate assets worthy of protection and due care.”

“While compliance is important, you should never forget that the end goal is always to maintain effective data protection.”