In Verizon's 2015 PCI Compliance Report, one requirement within the Payment Card Industry Data Security Standard (PCI DSS) stood out as a weak spot for businesses. Among the 12 requirements specified in the Standard, Requirement 11 – which states that organizations should regularly test security systems and processes – was the only area where compliance dropped between 2013 and 2014.
Verizon's report, published Thursday (PDF), showed that compliance with the remaining PCI DSS requirements improved for enterprises, particularly for authenticating access to cardholder data (Requirement 8).
Over the time period, for instance, the percentage of companies complaint with Requirement 11 at their interim assessment fell from 40 percent to 33 percent, the report said. In contrast, the remaining requirements charted an average spike in compliance of 18 percent, across the board.
Within Requirement 11 (PDF), the testing procedures that companies failed most often and used a compensating control for were procedures that “validate the detection and identification of all authorized and unauthorized wireless access points on a quarterly basis” (under Requirement 11.1), and deploy change-detection mechanisms, such as file integrity monitoring, (under Requirement 11.5), the report said.
As a Qualified Standard Assessor (QSA) certified by the PCI Security Standards Council to audit companies for PCI DSS compliance, Verizon found that 14 percent of companies used a compensating control within Requirement 11. According to a PCI DSS reference guide, compensating controls can be considered when an entity “cannot meet a requirement as explicitly stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation” of the controls.
For the 2015 report, Verizon based its findings on quantitative data collected by its QSAs who performed PCI DSS compliance assessments between 2012 and 2014. In addition, “[the] data was augmented by analysis of forensic investigation reports by our security practice, the authors of the Verizon Data Breach Investigations Report (DBIR),” the company said of its methodology.
In an interview with SCMagazine.com, Andi Baritchi, global managing principal of PCI Consulting Services at Verizon, said that a lack of sustainability within organizations likely drove the compliance dip for Requirement 11. But, the trend was “pervasive throughout the whole report,” he noted.
“Lack of sustainability is a major theme,” Baritchi, who was co-authored the compliance report, said. “Too many companies treat compliance as a once a year activity.”
A major takeaway from the report, for instance, was that less than a third (only 28.6 percent) of companies were still fully compliant less than a year after successful validation, the report said.
“There are a number of possible reasons for this,” the report continued. “First, it's very easy to fall out of compliance if you don't have robust procedures in place for managing and maintaining it. And second, a compliance assessment can only ever be a snapshot. All it in fact proves is that the company was able to demonstrate compliance at that moment, for the selected sample of sites, devices and systems checked.”
Verizon advised companies to implement a “robust framework with security policies, procedures, and testing mechanisms” to improve continuous compliance.
In a Thursday statement, Stephen Orfei, general manager of the PCI Security Standards Council, spoke to the report's focus on building sustainable security into business operations.
“Often an organization's approach to PCI security is to focus on passing the annual compliance assessment,” Orfei said. “But this is just the start of a vigilant, proactive security program. Only a combination of people, process and technology, and a focus on making security a ‘business-as-usual' practice will help thwart these constant threats.”