For all the good the Payment Card Industry Data Security Standard (PCI DSS) has done to raise payment card security awareness among merchants and payment processors, new data from Verizon shows organizations consistently fail to meet all of PCI's requirements, leaving themselves vulnerable to rudimentary attacks.
Verizon Tuesday will officially release its 2014 PCI Compliance Report (PDF), a collection of findings based on the results of more than 1,000 PCI DSS assessments the company performed from 2011 to 2013; about two-thirds were Initial Reports on Compliance (IROCs), while about a third were final ROCs. More than 84% of the assessments were performed at Level 1 merchants, defined by the PCI Security Standards Council (SSC) as merchants that process more than 6 million transactions per card brand per year.
Richard Santalesafounding attorney, Smartedge Law Group
Verizon reported that the organizations in its data set were, on average, compliant with 85.2% of the controls and subcontrols in PCI DSS, a notable improvement compared with its data from the previous year. Yet startlingly, few organizations succeeded when the PCI Qualified Security Assessor came calling: Just three out of every five organizations managed to pass half of the PCI's 12 requirements, and fewer than one out of every nine companies passed all 12 requirements.
The findings are not entirely surprising given the recent series of large data breaches reported among high-profile U.S. companies. Minneapolis-based retailer Target Corp. has been dealing with a massive breach involving as many as 110 million combined payment and personal customer records. Neiman Marcus, Michaels Stores and the regional hotel operator White Lodging Services Corp. have also confirmed breaches in recent weeks.
In a statement, Bob Russo, general manager of the PCI SSC, said the Verizon report is the latest reminder that merchants must not ignore the three pillars of PCI compliance: people, processes and technology.
"Ongoing deployment and maintenance of PCI standards as business as usual is the best way to protect payment card data," Russo said. "It's encouraging to read that many organizations in the Verizon caseload are moving closer to that point."
Falling through the cracks: Pen testing, default passwords
PCI DSS Requirement 11, which mandates regular testing of security systems and processes, proved particularly problematic for merchants. Verizon reported that among the most compliant organizations -- those that met 95% of the PCI DSS controls -- more than half failed Requirement 11. When measuring the entire data set, 60% of organizations were not fully compliant with Requirement 11.
More specifically, organizations struggled mightily with penetration testing. The two controls organizations most frequently failed to meet were 11.3.a, which requires penetration testing annually or after any significant changes to the cardholder data environment (CDE), plus documentation of the results; and 11.3.b, which requires validation that "exploitable vulnerabilities" discovered during pen testing are corrected. In all, eight of the nine least-often-met controls fell under Requirement 11.
In the report, Verizon cited organizations' difficulty working with third-party scanning vendors, understanding the purpose of vulnerability scanning and putting off or outright neglecting pen testing.
"Often, our QSAs are given a penetration-testing report only to find that the organization hasn't even read it," Verizon said in the report.
Rodolphe Simonetti, managing director of PCI compliance for Verizon's Enterprise Solutions group, said many companies that have previously achieved full PCI compliance often forget to conduct one or more of their quarterly vulnerability scans.
"We'll come back a year later, and they've only done two scans instead of four," Simonetti said. "They forgot it was something they need to include in their usual business processes, even though they did it the year before."
Steven Weil, senior security auditor with Louisville, Colo.-based IT audit and compliance firm Coalfire Systems Inc., said some organizations aren't able to perform pen tests due to limited budget or staff, or aren't able to schedule them in time for their assessments, but others fail to understand that if a QSA sees a major change to the cardholder data environment, such as a new piece of IT equipment or a major software upgrade, he or she will expect the organization to conduct an additional pen test.
Requirement 2 -- avoiding the use of vendor-supplied passwords and other security settings -- was almost as vexing. Verzion reported that slightly more than half (51.1%) of organizations were fully compliant, and just one out of every five organizations were compliant with 80% of Requirement 2's controls.
"Something like changing vendor-default passwords, that's Security 101," Simonetti said, "but too many companies still use the easiest possible ways to manage their systems."
Questioning PCI's value, penalties
Verizon's report is merely the latest evidence questioning the validity and relevance of the PCI DSS. Critics of the standard say that if enterprises aren't able to pass an annual assessment, it's unlikely they would ever be able to thwart a sophisticated cyberattack like the one against Target, in which attackers compromised the credentials of a third-party HVAC service provider to gain access to the Minneapolis-based retailer's network and then installed RAM-scraping malware on its point-of-sale systems.
Richard Santalesa, a founding attorney with the Smartedge Law Group in Fairfield, Conn., said Verizon's findings are, at best, a mixed bag for merchants and the PCI standard itself.
"Any test that only 11% [of companies] pass means something's wrong," Santalesa said, "but I think it highlights that success with the annual baseline assessment and with security overall depends on continuous monitoring and constantly striving to achieve a manageable level of risk."
Verizon's Simonetti said many firms simply don't recognize that the PCI compliance process is not just "a project on its own," but rather exists to mitigate the risk inherent in any merchant's business processes. That means organizations should actively utilize the knowledge gleaned from an assessment after its completion.
Yet many organizations have come around to PCI, if for no other reason than the necessity of avoiding penalties from their acquiring banks. Weil said the typical fine for not complying with PCI can range from $5,000 to $15,000 per month, but can quickly skyrocket in the event of a breach if a merchant is found to be noncompliant at the time of the incident.
Santalesa referenced the pending litigation involving specialty retailer Genesco Inc., which is suing Visa Inc. in a dispute over a $13.3 million fine it received following a 2009 data breach. Though such a large fine is atypical, he said it serves as proof of how expensive PCI noncompliance can be.
Few organizations choose to accept a fine willingly instead of pursuing PCI compliance, according to Weil, because peer pressure from business partners, as well as the need to limit overall liability risk, has pushed most organizations to a place where they do their best to achieve PCI compliance.
Yet experts remain uncertain about the future of PCI compliance and how successfully merchants will transition to the new standard, version 3.0.
Simonetti expressed cautious optimism. He said because PCI DSS 3.0 is more focused, he is hopeful that more organizations will take advantage of the opportunity to reduce the scope of the CDEs, making their PCI assessments easier.
Weil, who said he is already beginning some assessment engagements based on PCI 3.0, indicated that as of now, organizations are taking on risk working with 3.0, because key information about the vulnerability assessment processes and the reporting template have yet to be released by the SSC.
"I think some organizations are being encouraged to assess against 3.0, either by key business partners or the credit card companies," according to Weil, primarily because it offers some important clarifications and demonstrates a commitment to the importance of payment card security.
PCI compliance hard, but worthwhile
Despite the challenges presented by the PCI compliance process, nearly all believe that it has helped most merchants implement better security controls and increased payment card security awareness throughout the industry.
"There is a strong incentive to be compliant," Santalesa said, referencing the more than 11 billion in global card fraud losses in 2012, a prominent data point in the Verizon PCI report. "Even though it's difficult to maintain full compliance 365 days per year and will be even harder in PCI DSS 3.0, the requirements they put in make sense."
Simonetti emphasized that PCI compliance isn't a cure-all but that the results of post-breach forensic investigations at breached organizations have proven that had the merchant been fully PCI compliant, the breach could have been avoided.
"I like to think of PCI DSS as like a safety belt," Simonetti said. "It doesn't necessarily prevent you from having an accident, but in case you do, you're more likely to survive."