A new Verizon Business report released today shows a correlation between non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) and data breaches. The results revealed that organizations that had suffered data breaches were 50% more likely to exhibit PCI non-compliance.
Compromises are still tied to secure Web application coding and scanning.
director of global PCI consulting servicesVerizon
The Verizon Payment Card Industry Compliance Report, based on assessments done by Verizon QSAs between 2008 and 2009, held little in the way of surprises. Companies are still struggling to secure stored data, don't do a good job tracking and monitoring access to data, and still fail to regularly test systems and processes.
The report also ranked the top attack techniques used to steal payment card data. Remote access to systems via backdoors was the top attack, followed closely by SQL injection attacks. Poor authentication was also a problem, in particular, attackers exploiting default or easily guessable passwords to gain access to systems storing or processing payment data.
"This makes me somewhat frustrated that SQL injections, for example, are still iln the top three [attack techniques]. Compromises are still tied to secure Web application coding and scanning," said Jen Mack, Verizon director of global PCI consulting services. "I have to say I wasn't surprised, and I can't imagine anyone in the industry would be surprised. It's what we thought was the case. Now we have this data set behind it."
Another key finding of the report was that 22% of companies were found to be compliant upon their initial compliance report, and that 81% of testing procedures were being met at IROC. Mack said that the first number might be high because many of those companies could have been compliant a year earlier, or were able to use the six weeks between the initial onsite assessment and the IROC to remediate any issues.
"When our QSAs go on site, we do the initial interview, conduct and review testing procedures and we leave. The customer knows what's in place from the debriefing session," Mack said. "Based on the debriefing, they can prioritize their gaps against their risk and work on out-of-place items."
The report also cautions not to see the 81% of testing procedures being met as an overly positive number. The report points out that there are 250 testing procedures that are part of a PCI assessment, meaning that close to 50 are not being met. "That is not a small number," the report said.
Further, 11% of companies met less than half of the requirements, while 22% met 100% of the requirements.
The report also covers compensating controls, and determined that Requirement 3.4, which mandates that a primary account number (PAN) be unreadable, is the control most compensated for.
"This requirement is compensated mostly because of legacy systems," Mack theorized. "This is a tougher requirement to meet; it always has been. Data makes its way to a lot more places than initially thought. Reining it in is a lot more difficult. I think that's why compensating controls are used here the most."
Verizon said the Payment Card Industry Compliance Report followed a similar model to its Data Breach Investigations Report.
"The goal is to foster discussion around PCI," Mack said. "We needed the data to do that. The objective is to present compliance data scientifically."