alphaspirit - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Preview of 2015 Verizon PCI report hints at firewall compliance issues

In a sneak preview of its 2015 PCI Compliance Report, Verizon says improper firewall maintenance is among the leading causes of PCI DSS compliance failures.

The 2015 Verizon PCI Report won't be revealed until next month, but in a sneak preview this week, the managed IT services giant hinted at two key problem areas that cause merchants to fall out of PCI DSS compliance.

During a press event Monday at the National Retail Federation conference, Verizon provided a glimpse at what's to come in its eagerly awaited annual report, which will analyze the findings from thousands of PCI DSS compliance assessments conducted by Verizon Enterprise Solutions during the past three years.

'Business-as-usual' PCI compliance proves difficult

According to Verizon, its early look at the 2015 data indicates most merchants struggle to maintain year-round PCI compliance. The company said fewer than one-third of organizations had remained fully PCI compliant less than a year after being validated.

That's in stark contrast to the "continuous compliance" mantra advocated by the PCI Security Standards Council. According to experts, one of the primary objectives of PCI DSS version 3.0 is to require companies to maintain adequate security controls to protect payment card data at all times, not merely to pass an annual assessment.

Nancy Rodriguez, a PCI compliance program manager with an international manufacturer of medical devices, services and lighting solutions, said embedding PCI compliance into "business as usual" business processes isn't easy.

She said a systematic effort requires meeting with business process owners across a company, developing an understanding of how processes work and where data flows, and then establishing ways to integrate PCI compliance without disrupting business activities. That undertaking is made harder, Rodriguez added, because even in large organizations the PCI compliance team is usually just a handful of people.

"I am lucky enough to have come [to my current employer] at a time when the company is in the beginning stages of redefining all of its processes based on core, standard elements," Rodriguez said. "We established core domains -- information security, PCI, privacy, etc. -- that produced descriptions of their processes, along with controls. We then reviewed each other's processes and controls to determine if our own domain should be engaged, and how."

It's a laborious, time-consuming process even for a sizable organization such as hers, Rodriguez said, underscoring the struggle many smaller merchants face in remaining compliant beyond a single point in time.

Steven Weil, a former Qualified Security Assessor and independent security consultant based in Los Angeles, said he is starting to see more organizations adopt a year-round approach to PCI compliance, but it's a challenge because an organization must have a mature information security and compliance program.

"Unfortunately," Weil said, "there are still many less-mature organizations that continue to just focus, once a year, on being compliant with PCI; this is increasingly risky for the organizations."

Firewall compliance, security testing among top issues

According to Verizon, two top areas where organizations fail to meet PCI compliance requirements involve Requirement 11, which is related to the regular testing of security systems and processes, and Requirement 1, which encompasses the maintaining of firewalls.

The company offered few details, but in a statement, Rodolphe Simonetti, director of compliance and governance professional services for Verizon Enterprise Solutions, indicated the changing cybersecurity landscape demands that organizations change the way they approach security.

"Businesses need to adopt a model that we call 'resilience,' which means they must accept they can never be fully secure," Simonetti said. "There is no silver bullet for data protection."

Weil speculated that Verizon has seen that firewall rule reviews are not being conducted adequately, or not being conducted at least every six months, as required by the PCI DSS.

"In large or complex organizations, key firewalls that are subject to PCI can have hundreds of rules that must be reviewed," Weil said. "It can be difficult and very time-consuming for busy security professionals to understand which rules are still valid and which rules need to be removed/disabled. Plus, firewall admins are afraid that turning off a firewall rule might 'break something.'"

Rodriguez agreed, saying even though firewall maintenance is fundamental to virtually any sound information security program, the PCI DSS requirements around firewalls are "very prescriptive," especially regarding documentation and business justification for use of all services, protocols, and ports allowed.

"There are many out there who just aren't aware of the PCI DSS requirements," Rodriguez said, "so they haven't built these controls into their processes and procedures."

Meanwhile, Requirement 11 includes a minefield of difficult mandates covering everything from wireless network security to regular network security scans and third-party penetration tests.

That organizations continue to struggle with Requirement 11 is hardly a surprise; Verizon reported last year that among the most compliant organizations -- those that met 95% of the PCI DSS controls -- more than half failed Requirement 11. Adding to the struggle is a new directive in PCI 3.0 that organizations implement a formal pen testing methodology, thought to be one of the most daunting changes in the updated version of the standard.

Derek Brink, a vice president and research fellow with the Boston-based Aberdeen Group research firm, said the challenge of meeting PCI's requirements becomes even more daunting amid the reality that today's IT infrastructures are significantly more complex than just a few years ago.

"The real objective for any organization should be to reduce the risk to an acceptable level," Brink said. "That implies reducing the likelihood of breaches -- by implementing and maintaining the generally accepted security controls and processes -- as well as reducing the impact of the breaches that inevitably are going to occur."

While Brink lamented that some will undoubtedly use what may ultimately be disheartening findings from Verizon to "beat up on the PCI standards," he advocated the importance for merchants to make a sincere effort to achieve and sustain PCI compliance because those organizations will undoubtedly be more secure than they would otherwise.

"To me," Brink added, "the immense value of the Verizon work is that it will provide facts and trends for the key issues of likelihood and impact, which are what you have to have for a genuine conversation about risk."

In its release, Verizon confirmed next month's PCI report will include findings based on data from Fortune 500 and large multinational firms in more than 30 countries. In addition to a review of how and where companies fall out of PCI compliance once achieved, it will provide an in-depth look at each of the 12 PCI requirements, plus a first-time look at compliance efforts specific to version 3.0.

Next Steps

In the 2014 Verizon PCI Report, penetration testing and password security issues were found to cause problems during PCI assessments.

Dig Deeper on PCI Data Security Standard

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How has your organization adapted to the rigorous firewall compliance mandates in PCI DSS 3.0?
My organization has adapted to the rigorous firewall compliance mandates in PCI DSS 3.0 in a number of ways. For instance, I have managed to integrate PCI DSS security continuously for daily business and operational procedures. I have also been able to monitor security controls regularly, as well as meet compliance at all times, in order to ensure that the organization is not prone to security control failures, accidental information leakage or malicious attack.
That's great Harold. You're probably ahead of most organizations. I was surprised just how rigorous the operational requirements are around ongoing firewall rules maintenance and documentation. I'd appreciate the chance to hear more sometime -- send me a note at Thanks!
Firewall maintenance is a headache in our organization where we do development. We avoid "breaking something" especially for apps requiring network access and cloud-based tools.
Thanks for commenting David. I'd be interested in hearing more about how you're managing balancing exceptions against maintaining rulesets and policy. Send me a note if you have a chance - Thanks again!
When we were a startup, our end users were developers who are tech-savvy. We let each user be responsible for their firewall settings. Security tasks were protecting our server and occasionally reviewing the security settings on all machines. With the company’s growth, now we have designers, UX engineers and other classes of personnel who aren’t as skilled in security. Changes have been made especially in the face of the challenge of managing firewall exceptions, rules and policies in different platforms, BYOD policy and cloud-based solutions. We ended up deploying an open-source firewall (OpenVPN), which we modified to allow remote management and scripting. Its features e.g. Android support, combined with our customization lets us manage firewall settings remotely and via scripting without compromising usability or security.