alphaspirit - Fotolia
The 2015 Verizon PCI Report won't be revealed until next month, but in a sneak preview this week, the managed IT services giant hinted at two key problem areas that cause merchants to fall out of PCI DSS compliance.
During a press event Monday at the National Retail Federation conference, Verizon provided a glimpse at what's to come in its eagerly awaited annual report, which will analyze the findings from thousands of PCI DSS compliance assessments conducted by Verizon Enterprise Solutions during the past three years.
'Business-as-usual' PCI compliance proves difficult
According to Verizon, its early look at the 2015 data indicates most merchants struggle to maintain year-round PCI compliance. The company said fewer than one-third of organizations had remained fully PCI compliant less than a year after being validated.
That's in stark contrast to the "continuous compliance" mantra advocated by the PCI Security Standards Council. According to experts, one of the primary objectives of PCI DSS version 3.0 is to require companies to maintain adequate security controls to protect payment card data at all times, not merely to pass an annual assessment.
Nancy Rodriguez, a PCI compliance program manager with an international manufacturer of medical devices, services and lighting solutions, said embedding PCI compliance into "business as usual" business processes isn't easy.
She said a systematic effort requires meeting with business process owners across a company, developing an understanding of how processes work and where data flows, and then establishing ways to integrate PCI compliance without disrupting business activities. That undertaking is made harder, Rodriguez added, because even in large organizations the PCI compliance team is usually just a handful of people.
"I am lucky enough to have come [to my current employer] at a time when the company is in the beginning stages of redefining all of its processes based on core, standard elements," Rodriguez said. "We established core domains -- information security, PCI, privacy, etc. -- that produced descriptions of their processes, along with controls. We then reviewed each other's processes and controls to determine if our own domain should be engaged, and how."
It's a laborious, time-consuming process even for a sizable organization such as hers, Rodriguez said, underscoring the struggle many smaller merchants face in remaining compliant beyond a single point in time.
Steven Weil, a former Qualified Security Assessor and independent security consultant based in Los Angeles, said he is starting to see more organizations adopt a year-round approach to PCI compliance, but it's a challenge because an organization must have a mature information security and compliance program.
"Unfortunately," Weil said, "there are still many less-mature organizations that continue to just focus, once a year, on being compliant with PCI; this is increasingly risky for the organizations."
Firewall compliance, security testing among top issues
According to Verizon, two top areas where organizations fail to meet PCI compliance requirements involve Requirement 11, which is related to the regular testing of security systems and processes, and Requirement 1, which encompasses the maintaining of firewalls.
The company offered few details, but in a statement, Rodolphe Simonetti, director of compliance and governance professional services for Verizon Enterprise Solutions, indicated the changing cybersecurity landscape demands that organizations change the way they approach security.
"Businesses need to adopt a model that we call 'resilience,' which means they must accept they can never be fully secure," Simonetti said. "There is no silver bullet for data protection."
Weil speculated that Verizon has seen that firewall rule reviews are not being conducted adequately, or not being conducted at least every six months, as required by the PCI DSS.
"In large or complex organizations, key firewalls that are subject to PCI can have hundreds of rules that must be reviewed," Weil said. "It can be difficult and very time-consuming for busy security professionals to understand which rules are still valid and which rules need to be removed/disabled. Plus, firewall admins are afraid that turning off a firewall rule might 'break something.'"
Rodriguez agreed, saying even though firewall maintenance is fundamental to virtually any sound information security program, the PCI DSS requirements around firewalls are "very prescriptive," especially regarding documentation and business justification for use of all services, protocols, and ports allowed.
"There are many out there who just aren't aware of the PCI DSS requirements," Rodriguez said, "so they haven't built these controls into their processes and procedures."
Meanwhile, Requirement 11 includes a minefield of difficult mandates covering everything from wireless network security to regular network security scans and third-party penetration tests.
That organizations continue to struggle with Requirement 11 is hardly a surprise; Verizon reported last year that among the most compliant organizations -- those that met 95% of the PCI DSS controls -- more than half failed Requirement 11. Adding to the struggle is a new directive in PCI 3.0 that organizations implement a formal pen testing methodology, thought to be one of the most daunting changes in the updated version of the standard.
Derek Brink, a vice president and research fellow with the Boston-based Aberdeen Group research firm, said the challenge of meeting PCI's requirements becomes even more daunting amid the reality that today's IT infrastructures are significantly more complex than just a few years ago.
"The real objective for any organization should be to reduce the risk to an acceptable level," Brink said. "That implies reducing the likelihood of breaches -- by implementing and maintaining the generally accepted security controls and processes -- as well as reducing the impact of the breaches that inevitably are going to occur."
While Brink lamented that some will undoubtedly use what may ultimately be disheartening findings from Verizon to "beat up on the PCI standards," he advocated the importance for merchants to make a sincere effort to achieve and sustain PCI compliance because those organizations will undoubtedly be more secure than they would otherwise.
"To me," Brink added, "the immense value of the Verizon work is that it will provide facts and trends for the key issues of likelihood and impact, which are what you have to have for a genuine conversation about risk."
In its release, Verizon confirmed next month's PCI report will include findings based on data from Fortune 500 and large multinational firms in more than 30 countries. In addition to a review of how and where companies fall out of PCI compliance once achieved, it will provide an in-depth look at each of the 12 PCI requirements, plus a first-time look at compliance efforts specific to version 3.0.
In the 2014 Verizon PCI Report, penetration testing and password security issues were found to cause problems during PCI assessments.