In this video, Wade Baker, Verizon's director of risk, explains the Verizon PCI report (.pdf) and what it has to say about the state of the standard.
He also offers PCI analysis on the difficulty companies have keeping up with the standard, and who is really culpable for the sweeping lack of compliance.
For more information:
- Learn more about this year's Verizon Data Breach Investigations Report.
- Get information on the VERIS incident sharing system.
- Are 'security researchers' only out for fame? Watch this video
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
PCI analysis: Wade Baker on Verizon PCI report findings
Eric Parizo: Hi, I'm Eric Parizo, from SearchSecurity.com. It's great to have you
with us. Joining me today is Wade Baker, Director of Risk Intelligence for
Verizon. Wade thanks so much for being with us today.
Wade Baker: Absolutely. Glad to.
Eric Parizo: Let's talk about PCI for a few minutes. Last year Verizon released
the 2010 payment card industry compliance report. What were the key take
Wade Baker: So, that was a very interesting thing. We were glad to be able to do
it. It's a similar model to our data breach report, where we're looking at
real information. We kind of like this approach, looking at real, what QSAs
found in real companies, compile that together, and you see some very
interesting trends at companies. One, they have a difficult time meeting
what PCI requires. I can't remember the exact number but something like 20%
more or less, were able to achieve PCI compliance on their initial report
on compliance which means 80% thought they were ready for an assessment
and didn't make it. That's pretty interesting. A lot of the problem areas
that you find are the same things that we see highlighted in the report.
Eric Parizo: In the findings it was certainly hard to ignore that companies are
struggling to maintain PCI DSS compliance, often leading to lapses which in
turn lead to data breaches. Who's at fault here? Is it the companies
themselves? Is it the standard? Is it both? Is it neither?
Wade Baker: That's a tough and dangerous question to answer, right? No, I'm not
sure anybody knows the answer to be quite honest because it's something
that hasn't been researched and to the extent and level that we need to
research an important question like that. So, for instance, are the
controls that are contained in PCI, the ones that should be required? Is
the exact mix of controls the best as it can be? Not really sure. When you
look at it at the high level like we've done in this report, you see when
we overlay the threats that we see in the data breach investigations report
and the areas that PCI is saying these things should be required. It
doesn't look like there's just a lot of fluff and a lot of waste. We could
knock out this section and that section is useless and you can take out
this. It's not that kind of story. At the same time, it is clear that
organizations struggle, and whether they're struggling. Because they're not
motivated, whether they're struggling because they don't really have their
act together or whether it's just flat out hard to do or too expensive,
it's difficult to tell where the fault lies and it may not even be
that there's a fault. It's just a complex system. There's many points of
failure, many players in the game and all of them have a role, and it's
kind of new, in the big scheme of things. So, I'm not sure there is one
fault. It's probably a lot of areas that need improvement.
Eric Parizo: Now the PCI DSS is on a three year update cycle. Do you think that
will help with compliance and ultimately help to prevent data breaches?
Wade Baker: I hope it will. I think it all depends on what those updates are
based on. So one of the things I'm hoping to see in the near future are
updates based on threats. Are we monitoring the world for what's going on,
especially in PCI relevant breaches and whatnot. And are we updating those
controls based on what we've learned? In talking to the PCI council, I
think they're trying to do that. Again, is there room for improvement? Is
three years too long? Difficult questions and I'm not sure we have the data
to answer them. But in theory, yes, they desperately need to be updated.
They made a stagnant standard that would not be very effective years down
the road. But absolutely have to stay up with what's really affecting
organizations and assessing, asking honest questions about are we doing the
right things here.