“We have 55.4 percent of PCI DSS certified customers that were able to meet PCI DSS in a Verizon audit, and 45 percent who needed remediation, to remedy each [instance of] non-compliance and notify when it's fixed to get certified. These organisations met compliance on certification – they were fully compliant – but their security controls were not sustainable or resilient – so a month or two after certification they became non compliant,” Gabriel Leperlier, head of Continental Europe Advisory Services GRC/PCI at Verizon told SC Magazine UK.
He was speaking to SC following publication today of Verizon's 2017 Payment Security Report (PSR) which uses the results of thousands of real-world PCI compliance assessments conducted by Verizon across more than 30 countries.
Organisations that accept card payments must comply with the PCI DSS regulations, or their acquirers (banks) get fined and the banks then fine their customers in turn. But too many organisations are only geared to pass certification and not sustain their compliance. In fact the report found that almost half of the organisations assessed are failing to keep up with the 12 PCI requirements, putting their customers at risk of data breach and payment fraud,
The report also noted how, of ALL the payment card data breaches Verizon investigated, no organisations were found to be fully compliant at the time of breach, demonstrating lower compliance with 10 out of the 12 PCI DSS key requirements.
In a press statement Rodolphe Simonetti, global managing director for security consulting, Verizon, commented, “There is a clear link between PCI DSS compliance and an organisation's ability to defend itself against cyber-attacks,” comments “Whilst it is good to see PCI compliance increasing, the fact remains that over 40 percent of the global organizations we assessed – large and small - are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year — and many much sooner.”
Leperlier responded to SC's suggestion that PCI compliance may not guarantee security, but its absence increased vulnerability, saying, “Lack of compliance is vulnerability – I totally agree. If you just tick the compliance box you won't be totally secure - but if you are not compliant you will be even less secure.”
Examples of non-compliance cited included a hotel storing almost a decade's worth of receipts, containing full, unmasked card numbers in its laundry room. In another, the IT admin of a financial services organisation had got tired of traipsing from the server room in the basement to the IT department on the third floor, and so had installed a router to access the servers from his desk. The organisation had been seeking exemption from the Wi-Fi requirements of PCI DSS was surprised to learn that it did in fact have a wireless network operating in its building – this lack of knowledge causing it to fail.
Compliance fails actually fell from 51.6 percent of organisations in 2015 to 44.6 percent in 2016 but those failing missed more controls than ever before, with an average of 13 percent of necessary controls missing.
There were sectoral differences too with 61.3 percent of IT services organisations achieving full compliance during interim validation in 2016, followed by 59.1 percent of financial services organisations, retail 50 percent and hospitality 42.9 percent.
Five key guidelines are provided in the report to help control lifecycle management:
- Consolidate for ease of management - Adding more security controls is not always the answer Organisations should be able to use this to consolidate controls, making them easier to manage overall.
- Invest in developing expertise – Organisations should invest in their people to develop and maintain their knowledge of how to enhance, monitor and measure the effectiveness of controls in place.
- Apply a balanced approach – Companies need to maintain an internal control environment that is both robust and resilient if they want to avoid controls falling out of compliance.
- Automate everything possible - Applying data protection workflow and automation can be a huge asset in control management – but all automation also needs to be frequently audited.
- Design, operate, and manage the internal control environment – The performance of each control is inter-linked. If there is a problem at the top, this will impact the performance of the controls at the bottom. It is essential to understand this in order to achieve and maintain an effective and sustainable data protection programme.
SC pointed out that PCI DSS itself continues to bring out new rules, as do other organisations, and asked how companies could consolidate. Leperlier responded: “PCI always evolving, so PCI DSS 2.0 had no requirement for point of sale controls, now it has in 3.01. It is necessary because of the risk of hackers changing the POS terminal for a fake and collecting the data of customers. Also Chapter 4 to secure transmission of data over open networks – WIFI – some are no longer secured , so PCI DSS – doesn't allow unsecured protocols now. The standard is evolving to address something that needed to be fixed, and so we have some new requirements, but are addressing new security vulnerabilities.”
He went on to advise organisations, “PCI DSS compliance is a good tool to achieve a good level of security – you also have to comply with PI D2 and GDPR, and if you are compliant to PCI it is easy to adapt to new regulations coming and it's a programme to maintain security. If it's not day to day part of your DNA it will be very difficult to maintain security.”
Regarding hiring skilled personnel, here too, SC questioned how this would be possible for small companies not focussed on security, and whether outsourcing was a viable option. Leperlier replied, “We recognise the lack of expertise in the market, universities not worrying enough about this sector, recruiters for IT security find it very difficult, and there is no unemployment in this sector. Many experts – when you go deep – are not experts so it is a real challenge. A French customer in the finance sector, growing a lot in last few years, had 20 to 30 people in its IT security team – but when we looked into it, all the team were not IT experts, they were working in IT – windows admin etc, but not IT security experts- and had the option to be moved. A good Windows admin will not necessarily be good at IT Security – they need more training. But companies need to either get more experts in the company, or hire from other companies including outsourcing.”
He also acknowledged that automation, while it can help alleviate the problem of skills shortages, was not the entire solution, saying, “Yes you need more automation if you lack automation skills, but we do still need someone knowledgeable to assess and analyse the information and see what is normal, eg a printer scanning the network, someone who knows this is an attack.”
Leperlier told SC, “We have been gathering information on PCI compliance for years, and the requirements to comply with security are the most difficult for companies; its about testing, including pen testing, and it's something people need to achieve.
“Why are so many failing PCI DSS? They need to do their day to day job and compliance covers very wide range of security aspects. Plus they need to be 100 percent compliant to be compliant, so, for example, each and every server, - even if a few servers are not patched, you fail the requirement, so security is difficult – applied not to some – but to all assets. Its not easy to maintain. Every process in place need to be resilient – and there are many pages on how to maintain for good security control. Eg if you launch a new web server – you need to apply (PCI DSS) to the new service or equipment and companies don't realise that its not just for existing but new equipment too.”
Leperlier concluded, “It's not a project, it's a programme – something you need to maintain.”