Large number of organisations still struggle with PCI DSS compliance, Verizon finds

Real-world assessments show poor follow-through

Large numbers of firms still struggle to achieve full PCI DSS 2.0 compliance despite meeting almost all of its requirements, according to an analysis of real-world assessments carried out by Verizon.

Looking at an unspecified number of annual 'baseline' assessments (i.e. those carried out before improvements), the consultancy found that in 2013 only 11 percent of global customers had met all the demands set out by PCI DSS 2.0 at this stage, slightly up on the 7.5 percent figure for 2012.

Curiously, a total of 82 percent had passed on at least 80 percent of the required controls, a dramatic increase over the 32 percent reaching that level a year earlier. A further cut on the numbers showed that almost one in five organisations passed 95 percent of PCI's demands.

On the basis of Verizon's customers, compliance levels are clearly showing healthy improvements but with PCI DSS now having moved on to the more demanding version 3.0 and with data breaches still common, are things improving fast enough?

Looking into the underlying reasons for non-compliance, Verizon spotted a number of themes. Businesses are now quote good at protecting cardholder data - 58.4 percent met the grade here - and 91 percent were on top of the need to use updated antivirus software.

But more than three quarters failed to meet DSS requirement 11 that stipulates firms should regularly test security systems to make sure they actually work. They might comply, they might not, but they can't know either way.

Meanwhile 62 percent of firms met requirement 8 covering the use of identity management and multi-factor authentication, but real world breaches (i.e. Target, which is believed to involved abuse of stolen credentials) suggest that this is woefully short of what is needed to secure systems properly.

According to the report's primary author, Verizon's director of operations at its PCI Security Practice, Ciske van Oosten, a major problem is simply that organisations implement controls but then forget to maintain them.

"Organisations have an abysmal record of testing security. They don't test whether controls are working," he said.

"It is not a failure of technology or of budgets. It is a lack of intelligent decision making."

According to van Oosten, many data breaches could be prevented by implementing and testing controls such as two-factor authentication, an timely warning given the likelihood that hackers exploited precisely this weakness in recent attacks on US retailers.

Verizon also detected some interesting regional variations, which showed that 75 percent of Asian organisations met 80 percent of PCI DSS's requirements, ahead of the US on 56 percent and Europe in last place on 31 percent.

Of course, Europe comprises a large number of countries that show wide variations in compliance levels (the Baltics are a particular problem for instance) while better-performing Asian firms are also more likely to have built their networks recently using updated systems. The US lies somewhere in between these poles but does, unlike some parts of Europe, have the advantage of a single regulatory and compliance regime.

Verizon recommends that PCI DSS be "embedded" inside firms affected by it while using it as a means of streamlining systems so that data is stored on as few systems as possible. PCI DSS is often seen as a threat but Verizon argues it can be a spur to change too.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancesecurityhardware systemsData Centre

More about VerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts