It's no surprise that the transition to version 3.0 of the Payment Card Industry Data Security Standard began in...
earnest last year, with many organizations redoubling their efforts to comply with its more than 100 new controls.
What is surprising is that the industry's most comprehensive annual study of PCI compliance indicates enterprises are, on the whole, actually getting better at achieving full PCI compliance. Unfortunately, few can sustain it.
The Verizon 2015 PCI Compliance Report, previewed this week by SearchSecurity prior to its official release Thursday, analyzes the findings of approximately 3,000 PCI DSS assessments conducted by Verizon during the last three years.
As in year's past, slightly more than half of the assessments in the 2015 report were Initial Reports on Compliance (IRoCs), also known as gap assessments, while the rest were Final Reports on Compliance.
More than 90% of Verizon's assessments last year were performed at Level 1 merchants, defined by the PCI Security Standards Council (SSC) as merchants that process more than 6 million transactions per card brand per year. A majority of companies in the data set (55%) are based in North America, while 71% of the organizations operate in the financial services, retail or hospitality industries.
PCI compliance: Easier to get, harder to keep
In comparing year-over-year data, Verizon found that the percentage of fully compliant organizations nearly doubled in 2014. At the time of its customers' IRoCs -- essentially the result of their initial attempt to gain PCI compliance -- Verizon reported that the number of fully compliant organizations rose from 11.1% in 2013 to 20%.
Though that still leaves four out of every five organizations noncompliant, Rodolphe Simonetti, managing director of professional services for Verizon Enterprise Solutions, said there's still reason for optimism.
"Though security is still not as good as we expect, or as good as we think it should be," Simonetti said, "PCI compliance is definitely improving across the board. We see a positive trend."
To that end, Verizon's data revealed that its customers are getting better at PCI compliance. It found that more than 80% of organizations were able to meet 90% of all subcontrols and testing procedures in the PCI DSS, and that a quarter of the subcontrols and testing procedures were achieved by all the organizations Verizon assessed, marking the first year it's seen any subcontrol or testing procedure mastered by the entire data set.
Looking at IRoC compliance with each of the 12 requirements, Verizon found that organizations were more likely to be in full compliance with 11 of them in 2014 than they were the year before. Some requirements saw dramatic gains: just 33% of organizations were compliant with Requirement 8 at the time of their interim assessments in 2013, but that number skyrocketed to 69% last year; similarly, a mere 44% of organizations met all of Requirement 10 during their IRoCs two years ago, compared with 76% in 2014.
Despite the daunting number of subcontrols and testing procedures in PCI DSS 3.0 -- 287 by Verizon's count -- Simonetti said organizations are getting better at PCI compliance through practice and because the pressure to avoid being the next high-profile data breach victim is as high as it's ever been.
"With all the major breaches we've seen, companies and end users are more worried about credit card security today than they were two years ago," Simonetti said. "For the first time in history, we saw an executive being fired because of a security breach at his company, so it's definitely becoming more of a focus," referring to last year's resignation of Target Corp. CEO Gregg Steinhafel following that retailer's massive data breach during the 2013 holiday shopping period.
Verizon: Organizations struggle to remain PCI compliant
Unfortunately for merchants, Verizon's latest PCI report also contains plenty of disheartening data, including how difficult it is to not only achieve compliance, but also maintain it.
Verizon found that just 28.6% of organizations remained fully PCI compliant less than a year after a successful PCI validation. Worse yet, Verizon admitted that today's security techniques are barely even slowing down attackers, never mind stopping them.
"Our viewpoint has always been that the PCI DSS is a baseline, an industry-wide minimum acceptable standard," said Verizon in the report, "not the pinnacle of payment card security."
Verizon calls for changes in PCI DSS 3.1
In the 2015 Verizon PCI Compliance Report, the authors called on the PCI Security Standards Council (SSC) to make a pair of specific changes, in addition to addressing the issues surrounding SSL/TLS security.
The company said references to outdated stateful-inspection firewalls should be replaced with the latest firewall and antimalware technology.
An obscure scope-reduction guideline that calls for "full isolation" of all communication between the CDE and any non-CDE component, regardless of the security of the channel and the direction of initiation, often means organizations don't scope as tightly as they should, according to Verizon. It called on the SSC to provide more clarity on scope-reduction techniques.
In a statement, PCI SSC Chief Technology Officer Troy Leach said the industry is making clear progress in many key areas when it comes to protecting customers' payment data, and that the SSC remains committed to making payment security business-as-usual through increased education and awareness, flexibility and reinforcing security as a shared responsibility among payment data security stakeholders.
"However, the report underlines that we still have a long way to go because cyberattacks are on the rise," Leach said, "and too many companies do not make payment security an everyday priority."
Simonetti said arguably the most important overarching message from this year's report is that successful data security isn't a project, but a process that must be embedded in all of a company's business activities.
"The main takeaway from this report is the more compliant you are with PCI, the less likely you are to suffer a data breach, and we have very strong facts to support that," Simonetti said. "We've conducted thousands of assessments and attestations in the past 10 years, and we haven't found a single company that was breached and then turned out to be fully compliant."
Requirement 11 remains stumbling block
PCI DSS Requirement 11, which covers the regular testing of security systems and processes, remains a major stumbling block for merchants.
According to Verizon, which in its report included a year-over-year compliance comparison for each of the 12 requirements, Requirement 11 was the only one in which compliance declined, from 40% in 2013 to just 33% last year. Even more stark is that 14 of the 20 least-complied-with subcontrols and testing procedures were within Requirement 11, including all seven of the least-complied-with testing procedures.
The most vexing testing procedure proved to be 11.2.1.a, which requires that four quarterly vulnerability scans be performed within the most recent 12-month period. Verizon found less than 65% of organizations managed to comply with that procedure. A close second was 11.2.1.b -- requiring rescans until all "high-risk" vulnerabilities are resolved -- with less than 69% compliance.
Mike Villegas, QSA and vice president with Houston-based consulting firm K3DES LLC, said that because vulnerability scanning technology is rapidly improving, thanks to integration with new forms of threat intelligence, enterprises often find that their scans uncover many more problems than they anticipated. That in turn makes it harder to successfully resolve all the issues, and in some cases there may not be ways to resolve them.
Ed Fox, vice president of network services with New York-based telecommunications service provider MetTel, which both complies with PCI DSS and offers network compliance services, said in one recent engagement that a customer expressed a desire not to use a specific Approved Scanning Vendor because the customer knew it wouldn't be able to pass its advanced scanning techniques. In another case, he cited a customer who attempted to go beyond the standard by installing threat management systems, but those systems themselves failed the vulnerability scan.
"Nobody can continually test throughout the year because it's so time-consuming and takes resources away from other corporate goals," Fox said. "It's certainly a place where the PCI Council needs to put a lot more focus."
Meanwhile, compliance with subrequirement 11.1 fell 10% from a year earlier, with Verizon noting that organizations often fail this control because they falsely believe that they don't need to scan for rogue access points if they have chosen not to use in-scope wireless networks.
Villegas said he commonly has to instruct his clients to scan for rogue access points because they incorrectly believe that simply turning off Wi-Fi and scoping it out of their cardholder data environments exempts them from having to conduct the scanning exercise.
"A rogue access point is going to be connected to another device that's already on the network," Villegas said. "So, if I have a workstation that connected to that AP, suddenly that's an entryway into the network."
That organizations continue to struggle with Requirement 11 is hardly a surprise; Verizon reported last year that among organizations that met 95% of the PCI DSS controls, more than half failed Requirement 11. Adding to the struggle is a new directive in PCI 3.0 that organizations implement a formal pen testing methodology, thought to be one of the most daunting changes in the updated version of the standard.
Firewall documentation, data storage prove challenging
Verizon's in-depth review of how well organizations comply with each of the 12 requirements revealed a number of notable findings.
While most of Requirement 1 -- covering the installation and maintenance of firewalls -- posed little challenge, 24% of organizations failed to meet subrequirement 1.1 during the IRoC stage. According to Verizon, many organizations have struggled with the new subcontrols involving network diagrams and data flow maps.
"Our QSAs are sometimes presented with a large number of diagrams, none of which show the right things," said Verizon in the report. "Most get the level of detail completely wrong: some border on the conceptual, others give far too much detail, distracting from their intended purpose."
Verizon called for the PCI SSC to clarify 1.1, and to help companies understand the scope of the cardholder data environment and opportunities to reduce it.
Using Risk Management to Drive
Verizon offers a brief video introduction to the 2015 Verizon PCI Compliance Report.
In response, Leach said one of the main intents of network and cardholder data flow diagrams is to ensure the scope of the cardholder data environment is understood. He noted that in the "Scope of PCI DSS Requirements" section of PCI DSS 3.0, it mentions that entities should confirm the accuracy of their PCI DSS scope by annually identifying all locations of cardholder data and ensuring they are included in scope.
"Once all locations are identified," Leach said, "it is much easier to diagram those locations in their network and then use that information to confirm that the PCI DSS scope includes all locations and flows of cardholder data."
On Requirement 2 -- default passwords -- more organizations (13%) struggled to remove default accounts, though just 84% of the data set complied successfully with 2.2.4.c and 2.2.5.c, which cover whether a sampling of systems meet documented configurations.
Aside from Requirement 11, Requirement 3 proved to be the greatest struggle for merchants in 2014, with just 62% of organizations being compliant last year in their IRoC. Verizon said many organizations store data they don't need or don't realize they have, plus subrequirement 3.4 proved tricky for the data set (22% noncompliance) because of the numerous encryption options available.
Fox said that while the brick-and-mortar retailers he works with have largely conquered unintended data storage, merchants rolling out new online transaction systems and Web stores often fail to anticipate where and how card-not-present transaction data may be stored. He noted those organizations are increasingly outsourcing control of payment data to third-party service providers, for fear of improperly managing payment data.
Radically updated for the second-consecutive PCI DSS revision, Requirement 6 proves tricky in spots, but is critically important in staving off a damaging breach; Verizon found that fewer than one in six companies that suffered a breach last year were compliant with Requirement 6. Despite a notable percentage of organizations failing to meet subrequirements 6.2 and 6.4 (22% and 20%, respectively), Verizon found demonstrative improvement in its customers' ability to implement patches quickly and successfully tackle change-control processes.
Requirement 8 -- authentication -- has seen steady improvement, but Verizon found that organizations struggled with subrequirements 8.2 (password lengthy and complexity) and 8.5 (shared passwords). According to Verizon, many in the data set are still adapting to mandatory password changes every 90 days, while not enough organizations are effectively checking user ID lists for shared IDs and/or passwords.
The thorniest element of Requirement 9 proved to be subrequirement 9.5 (physically securing all media) with a 13% failure rate at IRoC. Verizon reported control of portable media like disks, tapes and even paper often range beyond the control of IT and security teams, and those non-IT staff who handle them often aren't aware of the proper procedures.
Finally, Requirement 12 proved challenging for organizations in a variety of ways. Foremost among those challenges was subrequirement 12.10 (incident response planning), with nearly a quarter of the data set failing it at the time of their IRoC. Verizon advised organizations to increase their focus on incident response, specifically in regards to training.
Coming soon: PCI DSS 3.1
Verizon's report comes as the SSC prepares the imminent release of PCI DSS version 3.1. The SSC quietly announced last month that inherent weaknesses in the Secure Socket Layers (SSL) v3.0 protocol, commonly used by applications to encrypt the transmission of sensitive payment data, is no longer acceptable as a data protection control.
The unusual move to offer a point update in between formal three-year revision cycles comes in response to a spate of recent SSL vulnerabilities, including the infamous Heartbleed flaw in some OpenSSL implementations, the POODLE flaw that compromises legacy but still commonly used SSL 3.0 protocol, and more recently the FREAK attack that enables attackers to intercept and decrypt SSL traffic in some applications, including Windows.
"When published, PCI DSS v3.1 will be effective immediately," the SSC said in a statement last month, "but impacted requirements will be future-dated to allow organizations time to implement the changes."
Leach said the intent of this update is to address not only SSL issues but also provide other minor updates and clarifications.
"While these interim updates are not intended to address general feedback we receive from the community, or to introduce new requirements or major updates," Leach said, "we currently have an open feedback period for both PCI DSS and PA-DSS, and we also consider advancements in technology, industry sources and breach trends as we are developing updates to the standards."
Villegas noted that the PCI community is in a dilemma when it comes to SSL/TLS security; maintaining the status quo is insufficient, but how to address the problems remains unclear, since even the most recent version of TLS, version 1.2, is considered flawed.
"It's a vulnerability that can't be remediated, so effectively what the SSC has done is issue a communication saying SSL 3.0 is no longer acceptable," Villegas said. "And that's fine, but what's the alternative?"
Simonetti said he expects TLS to be mandatory in PCI DSS 3.1, and that TLS usage will have to be carefully reviewed by assessors going forward to ensure it provides the strongest possible cryptography.
"TLS, when properly configured, should meet the strong cryptography requirements," Simonetti said. "That's what we tell our customers, and that's what we expect to see in the next release of the PCI DSS."
Leach declined to say when PCI DSS 3.1 would be released, though Villegas speculated it would likely debut prior to the SSC's September North American Community Meeting in Vancouver.
Expert Mike Chapple outlines the recommendations in the new PCI DSS Risk Assessment Guidelines Information Supplement.
Read about the findings in the 2014 Verizon PCI report.