As the IT officer for Biddeford Savings Bank in Maine, Keith Gosselin has found that most security regulations...
and standards carry common demands. Company computer systems must be protected by multiple layers of security, including data encryption, and sensitive customer information should not be stored unless absolutely necessary.
Enterprises living by those rules should be in a good position to meet everything from the demands of the Sarbanes-Oxley Act to the Payment Card Industry Data Security Standard (PCI DSS), Gosselin said. Therefore, he's surprised by a new report from VeriSign Inc. showing that many companies continue to struggle with the demands of PCI DSS.
The Mountain View, Calif.-based company based its report on a review of 60 PCI audits it recently conducted for 50 large companies. VeriSign measured the extent to which companies are meeting more than 230 data security requirements and found 53% failing to meet key elements of PCI DSS. VeriSign found companies coming up short in several key areas, including regular testing, securing applications, logging and protecting data. The chief point of failure for 48% of customers was that they weren't regularly testing their controls to make sure they work.
"The biggest sticking point for many is that there's so much detail to comply with," said Graham Gillen, a senior manager in VeriSign's PCI group. "Scanning is an obvious requirement, but there has been confusion over which systems should be scanned, how deep a scan needs to go, and so on."
Under PCI DSS, level 1 businesses -- those that process more than six million credit card transactions a year -- are subject to an annual on-site audit and quarterly network scans performed by an approved vendor. Level 2 and 3 companies that process 20,000 to 6 million credit card transactions a year must fill out an annual self-assessment questionnaire and have an approved vendor conduct quarterly network scans. The standard sets out 12 basic security requirements, including encryption, access controls and firewalls. Penalties for noncompliance include fines of up to $500,000, increased auditing requirements and even losing the ability to process credit card transactions.
Level 1 companies face a Sept. 30 compliance deadline, while Level 2 merchants have until the end of December to have their security up to standard, Gillen said.
On the plus side, fewer companies are failing now compared to last year, when VeriSign saw a 73% failure rate among customers. But that piece of good news is offset by the fact that an ever-shifting data security landscape is causing many enterprises to fail requirements that they had passed the year before.
For example, Gillen said, IT shops are supposed to segregate data to make it harder to steal, but doing so means there are more systems that have to be scanned. So scanning procedures that were adequate a year before become insufficient. "As you solve one problem, it creates another problem," he said.
Surprised by ongoing failures
Gosselin said he can understand the difficulties some companies face. There's a lot of oversight today that didn't exist five years ago, he noted. But he was surprised to see companies continuing to stumble over testing procedures.
He said one surprise from the VeriSign report is the high failure rate some continue to have in meeting third-party testing requirements. "I would think for the most part this would be an easy one to knock off and I would assume that many of these companies would already have an engagement with someone in place [for proper testing procedures]," he said. "That said, it surprises me how high that number is."
Gosselin was also surprised by the suggestion that many companies keep struggling to keep track of all their stored customer data. After all, he said, companies should know by now that customer data shouldn't be stored in the first place.
"Why would anyone want to hold on to that data?" he asked. "Just pass it through to VISA and imagine how much easier your life suddenly becomes."
Auditor finds fault with VeriSign report
While he agrees with some of VeriSign's conclusions, one independent PCI DSS auditor found fault with some of the report. Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, said the report doesn't always account for some critical differences and inter-relationships between a threat (an actor or a mechanism), a vulnerability (a way for the threat actor or mechanism to carry out an exploit), and an asset (the money), all of which result in some level of risk. "Wireless use, for example, is not a threat -- it is simply a fact that may represent a risk," he noted.
Nebel also took issue with VeriSign's indication that clients who passed requirement 6 of PCI DSS still have applications at risk. Requirement 6 requires that companies develop and maintain secure systems and applications, and to pass the requirement while applications remain at risk is patently impossible, he said.
"Either you develop and maintain secure applications or you don't," he said. "Requirement 6.2 is pretty clear -- '…information security [is] included throughout the…SDLC (Systems Development Lifecycle)…' -- if it is then you can't deploy an application that is not secure. A security-aware SDLC would include test and acceptance as well as ongoing operational monitoring."
Finding common ground
Despite his issues with the VeriSign report, Nebel said he agrees with the overall conclusions. Most compromises are the result of merchants taking at blind faith that their vendor's products are secure and in most cases they are not because there are default passwords in remote management software and they don't encrypt cardholder data by default (or at all), he said, adding, "I also agree that the best strategy to reduce the risk of a compromise is to store less data and encrypt what you do store."
In the final analysis, Gillen said companies who continue to struggle should not panic. Visa and MasterCard have hinted they will be forgiving to those who at least show they have a plan to address remaining problems, he said.
"As long as you know what you need to do and when you need to do it, that'll probably be considered good enough in most cases," he said. " When the deadline hits, just be able to say where work is still needed and what you are doing about it."