The percentage of companies compliant with PCI DSS Requirement 11 dropped to 33 percent last year, a Verizon report found.
The percentage of companies compliant with PCI DSS Requirement 11 dropped to 33 percent last year, a Verizon report found.

In Verizon's 2015 PCI Compliance Report, one requirement within the Payment Card Industry Data Security Standard (PCI DSS) stood out as a weak spot for businesses. Among the 12 requirements specified in the Standard, Requirement 11 – which states that organizations should regularly test security systems and processes – was the only area where compliance dropped between 2013 and 2014.

Verizon's report, published Thursday (PDF), showed that compliance with the remaining PCI DSS requirements improved for enterprises, particularly for authenticating access to cardholder data (Requirement 8).

Over the time period, for instance, the percentage of companies complaint with Requirement 11 at their interim assessment fell from 40 percent to 33 percent, the report said. In contrast, the remaining requirements charted an average spike in compliance of 18 percent, across the board.

Within Requirement 11 (PDF), the testing procedures that companies failed most often and used a compensating control for were procedures that “validate the detection and identification of all authorized and unauthorized wireless access points on a quarterly basis” (under Requirement 11.1), and deploy change-detection mechanisms, such as file integrity monitoring, (under Requirement 11.5), the report said.

As a Qualified Standard Assessor (QSA) certified by the PCI Security Standards Council to audit companies for PCI DSS compliance, Verizon found that 14 percent of companies used a compensating control within Requirement 11. According to a PCI DSS reference guide, compensating controls can be considered when an entity “cannot meet a requirement as explicitly stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation” of the controls.

For the 2015 report, Verizon based its findings on quantitative data collected by its QSAs who performed PCI DSS compliance assessments between 2012 and 2014. In addition, “[the] data was augmented by analysis of forensic investigation reports by our security practice, the authors of the Verizon Data Breach Investigations Report (DBIR),” the company said of its methodology.