Report: Companies still stumped by PCI DSS

By Bill Brenner, Senior News Writer 20 Sep 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

As the IT officer for Biddeford Savings Bank in Maine, Keith Gosselin has found that most security regulations and standards carry common demands. Company computer systems must be protected by multiple layers of security, including data encryption, and sensitive customer information should not be stored unless absolutely necessary.

The biggest sticking point for many is that there's so much detail to comply with. Graham Gillen, senior manager, VeriSign

Enterprises living by those rules should be in a good position to meet everything from the demands of the Sarbanes-Oxley Act to the Payment Card Industry Data Security Standard (PCI DSS), Gosselin said. Therefore, he's surprised by a new report from VeriSign Inc. showing that many companies continue to struggle with the demands of PCI DSS.

The Mountain View, Calif.-based company based its report on a review of 60 PCI audits it recently conducted for 50 large companies. VeriSign measured the extent to which companies are meeting more than 230 data security requirements and found 53% failing to meet key elements of PCI DSS. VeriSign found companies coming up short in several key areas, including regular testing, securing applications, logging and protecting data. The chief point of failure for 48% of customers was that they weren't regularly testing their controls to make sure they work.

"The biggest sticking point for many is that there's so much detail to comply with," said Graham Gillen, a senior manager in VeriSign's PCI group. "Scanning is an obvious requirement, but there has been confusion over which systems should be scanned, how deep a scan needs to go, and so on."

Under PCI DSS, level 1 businesses -- those that process more than six million credit card transactions a year -- are subject to an annual on-site audit and quarterly network scans performed by an approved vendor. Level 2 and 3 companies that process 20,000 to 6 million credit card transactions a year must fill out an annual self-assessment questionnaire and have an approved vendor conduct quarterly network scans. The standard sets out 12 basic security requirements, including encryption, access controls and firewalls. Penalties for noncompliance include fines of up to $500,000, increased auditing requirements and even losing the ability to process credit card transactions.

Level 1 companies face a Sept. 30 compliance deadline, while Level 2 merchants have until the end of December to have their security up to standard, Gillen said.

PCI DSS: Understanding PCI DSS compensating controls: By-the-book PCI DSS compliance scores big points with auditors, but abiding by all the regulations and requirements is a tall order in many organizations. What are the PCI DSS compliance benefits of tokenization? In this SearchSecurity.com Q&A, security expert Joel Dubin defines tokenization and discusses how the technology can help ease the burden of achieving PCI DSS compliance. PCI DSS auditors see lessons in TJX data breach: Following the recent TJX data breach, several PCI Data Security Standard auditors say the retailer violated basic requirements of the PCI DSS.

On the plus side, fewer companies are failing now compared to last year, when VeriSign saw a 73% failure rate among customers. But that piece of good news is offset by the fact that an ever-shifting data security landscape is causing many enterprises to fail requirements that they had passed the year before.

For example, Gillen said, IT shops are supposed to segregate data to make it harder to steal, but doing so means there are more systems that have to be scanned. So scanning procedures that were adequate a year before become insufficient. "As you solve one problem, it creates another problem," he said.

Surprised by ongoing failures
Gosselin said he can understand the difficulties some companies face. There's a lot of oversight today that didn't exist five years ago, he noted. But he was surprised to see companies continuing to stumble over testing procedures.

He said one surprise from the VeriSign report is the high failure rate some continue to have in meeting third-party testing requirements. "I would think for the most part this would be an easy one to knock off and I would assume that many of these companies would already have an engagement with someone in place [for proper testing procedures]," he said. "That said, it surprises me how high that number is."

Gosselin was also surprised by the suggestion that many companies keep struggling to keep track of all their stored customer data. After all, he said, companies should know by now that customer data shouldn't be stored in the first place.

"Why would anyone want to hold on to that data?" he asked. "Just pass it through to VISA and imagine how much easier your life suddenly becomes."

Auditor finds fault with VeriSign report
While he agrees with some of VeriSign's conclusions, one independent PCI DSS auditor found fault with some of the report. Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, said the report doesn't always account for some critical differences and inter-relationships between a threat (an actor or a mechanism), a vulnerability (a way for the threat actor or mechanism to carry out an exploit), and an asset (the money), all of which result in some level of risk. "Wireless use, for example, is not a threat -- it is simply a fact that may represent a risk," he noted.

Nebel also took issue with VeriSign's indication that clients who passed requirement 6 of PCI DSS still have applications at risk. Requirement 6 requires that companies develop and maintain secure systems and applications, and to pass the requirement while applications remain at risk is patently impossible, he said.

"Either you develop and maintain secure applications or you don't," he said. "Requirement 6.2 is pretty clear -- '…information security [is] included throughout the…SDLC (Systems Development Lifecycle)…' -- if it is then you can't deploy an application that is not secure. A security-aware SDLC would include test and acceptance as well as ongoing operational monitoring."

Finding common ground
Despite his issues with the VeriSign report, Nebel said he agrees with the overall conclusions. Most compromises are the result of merchants taking at blind faith that their vendor's products are secure and in most cases they are not because there are default passwords in remote management software and they don't encrypt cardholder data by default (or at all), he said, adding, "I also agree that the best strategy to reduce the risk of a compromise is to store less data and encrypt what you do store."

In the final analysis, Gillen said companies who continue to struggle should not panic. Visa and MasterCard have hinted they will be forgiving to those who at least show they have a plan to address remaining problems, he said.

"As long as you know what you need to do and when you need to do it, that'll probably be considered good enough in most cases," he said. " When the deadline hits, just be able to say where work is still needed and what you are doing about it."

Tags: PCI Data Security Standard,  IT Security Audits,  Data Privacy and Protection,  Identity Theft and Data Security Breaches,  HIPAA,  Sarbanes-Oxley Act,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard PCI management: The case for Web application firewalls MasterCard increases PCI compliance requirements for some merchants PCI compliance requirement 1: Firewalls PCI compliance requirement 2: Defaults PCI compliance requirement 5: Antivirus PCI compliance requirement 4: Encrypt transmissions PCI compliance requirement 3: Protect data PCI compliance requirement 6: Systems and applications PCI compliance requirement 8: Unique IDs PCI compliance requirement 10: Auditing IT Security Audits MasterCard increases PCI compliance requirements for some merchants How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game PCI DSS Q&A: Answering your questions Maltego demo: Identifying a website's trust relationships PCI QSA assurance program penalizes assessors Strategies for email archiving and meeting compliance regulations Data Privacy and Protection How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Kodak CISO on virtualization, compliance Federal efforts to secure cyberinfrastrucure Attackers cash in on fundamental data handling mistakes, Verizon finds RSA panel to discuss surveillance, privacy concerns Mass. officials explain new data protection regulations HIPAA changes force healthcare to improve data flow Data Privacy and Protection Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary