The state of compliance
While credit card data breaches remain all too common, a new report from Verizon Business shows that following industry security standards can dramatically reduce such incidents.
The report examines the state of compliance with the PCI DSS, which was created in 2006 to protect cardholder data and reduce credit card fraud. Company investigators found that breached organizations are 50 percent less likely to be PCI compliant and that only 22 percent of organizations were PCI compliant at the time of their initial examination.
In addition to assessing the effectiveness of the PCI DSS, the report identifies which attack methods are most common and provides recommendations for businesses on earning and maintaining PCI compliance.
The compliance report is based on findings from PCI DSS assessments conducted by Verizon’s team of PCI Qualified Security Assessors (QSAs) in 2008 and 2009, and a review of a sample of approximately 200 assessments.
The findings demonstrate that following PCI requirements can reduce the likelihood of a breach. Additionally, to obtain a more in-depth view of the data, Verizon overlaid the findings from payment card breach cases included in the “Verizon 2010 Data Breach Investigations Report” and then analyzed the combined data set for commonalities. Top findings include:
Only 22 percent of organizations are compliant initially. Most organizations were not compliant with the PCI requirements at the time of the Initial Report on Compliance, when Verizon QSAs first evaluate an organization against the standard. The majority of the fully compliant organizations were veterans of the process or were not required to comply with all of the requirements.
Compliance, however, is in reach. While 78 percent of organizations are not compliant initially, the findings show that, on average, organizations meet 81 percent of the procedures required by PCI. In fact, three-quarters of the organizations met at least 70 percent of the testing procedures, meaning that, with more diligence, they have a good chance of becoming compliant. Only 11 percent of organizations met less than half the testing procedures at the time of their initial review.
Organizations that suffer a breach are 50 percent less likely to have achieved or maintained PCI compliance. At the end of a forensic or data breach investigation, Verizon investigators assess how compliant the organization is with PCI. By reviewing this data against official PCI assessments, Verizon analysts determined that organizations that had a data breach are 50 percent less likely to be compliant with the standard than PCI customers. These findings indicate that PCI compliance can help prevent data breaches.
There is a correlation between data breaches and the difficulties companies face in complying with certain PCI requirements. Of the 12 requirements that constitute the PCI DSS, three of them — protect stored data, track and monitor access to network resources and cardholder data, and regularly test security systems and processes – cover areas that are most vulnerable to security breaches, according to the DBIR. However, those three requirements are also the same ones that companies struggle the most to meet for PCI compliance.
By coupling PCI assessment data with the post-breach analysis, Verizon analysts were able to rank the top attack methods used to compromise payment card data: malware and hacking (25 percent), SQL injections (24 percent) and exploitation of default or guessable credentials (21 percent).
The report found that the PCI requirements address the most common attack methods used to capture cardholder data. In several instances, multiple layers of controls exist across the standard.