A Verizon report shows a link between compliance with the payment card industry security standard and an organisation’s ability to defend against cyber attacks, but nearly half are failing to maintain compliance.
Of all the payment card data breaches Verizon investigated in the past year, no organisations were found to be fully compliant with the payment card industry data security standard (PCI DSS) at the time of breach.
Breached organisations demonstrated lower compliance with 10 out of the 12 PCI DSS key requirements, according to the Verizon 2017 Payment Security Report.
PCI DSS is aimed at helping organisations protect payment systems from breaches and theft of cardholder data, which is becoming increasingly important as cyber crime increases and the deadline approaches for compliance with the EU’s General Data Protection Regulation (GDPR).
From May 2018, any company that does business in the EU could be hit by fines of up to €20m or 4% of annual turnover, whichever is the greater, for failing to protect EU citizens’ personal data, which includes payment card data.
The report, which tracks the performance of PCI compliance, is based on PCI assessments conducted by Verizon’s team of qualified security assessors (QSAs) for Fortune 500 and large multinational firms in more than 30 countries.
Although the report shows that the total number of organisations Verizon assessed achieving PCI compliance at interim validation in 2016 increased to 55.4%, up from just 11.1% in 2012 and 48.4% in 2015, it still means that nearly half of retailers, restaurants, hotels and other businesses that take card payments are still failing to maintain compliance from year to year.
“There is a clear link between PCI DSS compliance and an organisation’s ability to defend itself against cyber attacks,” said Rodolphe Simonetti, global managing director for security consulting, Verizon. “While it is good to see PCI compliance increasing, the fact remains that over 40% of the global organisations we assessed – large and small – are still not meeting PCI DSS compliance standards.”
Gabriel Leperlier, head of continental europe advisory services GRC/PCI at Verizon, said that while compliance does not guarantee that an organisation will not be breached, the data shows that failure to comply almost certainly means that they will be breached.
“Since 2010, not a single organisation that has been breached was 100% PCI DSS compliant at the time of the breach,” he told Computer Weekly.
The report also highlights that of those organisations that pass validation, nearly half fall out of compliance within a year, with most falling out of compliance in less than nine months.
“This shows that the security controls implemented by these organisations are not efficient and sustainable, and cyber attackers take advantage of any area where organisations fall below the compliance standard,” said Leperlier.
A classic example, he said, is an organisation where a newly-installed aquarium was connected to an internet-based maintenance service, but there was no process in place to flag an unsecured new connection to the internet, and as a result, no security assessment was carried out and no mitigating controls put in place as required by the PCI DSS.
“As a result, the organisation was hacked by attackers who first compromised the aquarium’s internet connection as a way into the company’s network,” said Leperlier.
The importance of proficient security assessments
Another example from the field which highlights the importance of having a proficient and skilled information security team that will ask the right questions, he said, is the case of an unnamed airforce that deployed new printers without conducting any security assessments.
“Fortunately a system administrator noticed high volumes of network traffic associated with these printers, and while the security team dismissed this as ‘normal’ the sys admin eventually discovered that each printer had a built-in GSM module that was sending information collected about the airforce’s network to another country.”
According to the report, IT services industry achieved the highest full compliance of all key industry groups studied. Globally, more than three-fifths (61.3%) of IT services organisations achieved full compliance during interim validation in 2016, followed by 59.1% of financial services organisations, retail (50%) and hospitality (42.9%).
The report shows the compliance challenges faced by specific business sectors. In retail, security testing, encrypted data transmissions and authentication were named as the top challenges. For hospitality and travel, security hardening, protecting data in transit and physical security were cited as challenges, while for financial services, the main hurdles to PCI compliance given were security procedures, secure configurations, protecting data in transit, vulnerability management and overall risk management.
Why follow PCI DSS controls?
Giving an example of an organisation’s failure to follow PCI DSS controls, Leperlier cited a case of a hidden router at a financial services organisation.
The organisation was seeking exemption from the Wi-Fi requirements of PCI DSS, but was surprised to learn that it did in fact have a wireless network operating in its building.
“The QSA [qualified security assessor] spotted an unknown Wi-Fi hotspot signal, which was eventually tracked to the server room in the basement of the building,” said Leperlier.
“The system administrator had installed a wireless router so that he could access the servers from his desk on the third floor to save himself from going down to the server room, but at the same time had opened up a way in for would-be attackers,” he said.
The organisation in question failed its PCI DSS assessment, said Leperlier, because it had not scanned to check for potential rogue wireless access points, and the wireless router that was discovered by the QSA was also not hardened against attack as required by the PCI DSS.
“Many organisations struggle to keep up with the continual cycle of scanning, testing and patching, which is why it is important to involve all employees so they understand why certain security controls are in place and will be more likely to stick to them rather than finding ways around them,” he said.
Basic security controls on the decline
The report revealed that, despite an increase in the number of PCI DSS compliant organisations, there has also been a decrease of basic security controls.
In 2015, companies failing their interim assessment had an average of 12.4% of controls absent, but in 2016 this increased to 13% lacking basic controls such as security testing and penetration testing.
Simonetti said that one of the biggest challenges for organisations is how to achieve sustainable data protection.
Control lifecycle management
Many organisations still look at PCI DSS controls in isolation and do not appreciate that they are interrelated. “The concept of control lifecycle management is far too often absent,” said Simonetti. “This is often the result of a shortage of skilled in-house professionals – however, in our experience, internal proficiency can be dramatically improved with lifecycle guidance from external experts.”
The Verizon report offers five guidelines to assist with control lifecycle management:
- Adding more security controls is not always the answer: The PCI DSS already contains numerous interlinked data protection standards and regulations. Organisations should be able to use this to consolidate controls, making them easier to manage overall.
- Invest in developing expertise: Organisations should invest in their people to develop and maintain their knowledge of how to enhance, monitor and measure the effectiveness of controls in place.
- Apply a balanced approach: Companies need to maintain an internal control environment that is both robust and resilient if they want to avoid controls falling out of compliance.
- Automate everything possible: Applying data protection workflow and automation can be a huge asset in control management – but all automation also needs to be frequently audited.
- Design, operate, and manage the internal control environment: The performance of each control is interlinked. If there is a problem at the top, this will impact the performance of the controls at the bottom. It is essential to understand this in order to achieve and maintain an effective and sustainable data protection program.
Leperlier said that when it comes to payment security, it is important for organisations to focus on the fact the ultimate goal is to safeguard customer data, not passing the PCI DSS assessment.
“If too many compensating controls are used or if a company focuses only what data is in scope, for example, an organisation may pass the assessment, but customer data may not be very secure,” he said.