In a first-of-its-kind “Verizon Payment Card Industry Compliance Report,” the company examines the state of compliance with the Payment Card Industry Data Security Standard (PCI DSS), which was created in 2006 to protect cardholder data and reduce credit card fraud. Company investigators found that breached organizations are 50 percent less likely to be PCI compliant and that only 22 percent of organizations were PCI compliant at the time of their initial examination.
In addition to assessing the effectiveness of the PCI DSS, the report identifies which attack methods are most common and provides recommendations for businesses on earning and maintaining PCI compliance.
The compliance report is based on findings from PCI DSS assessments conducted by Verizon’s team of PCI Qualified Security Assessors (QSAs) in 2008 and 2009, and a review of a sample of approximately 200 assessments. As a QSA, Verizon audits and evaluates a company’s compliance with the established PCI DSS, which is continually enhanced by the PCI Council, the governing body for PCI security standards and compliance.
“The Verizon Payment Card Industry Compliance Report gives organizations an unprecedented view into the state of PCI compliance across the board, specifically pointing out which requirements are most difficult to meet,” said Peter Tippett, vice president of technology and innovation at Verizon Business. “We hope this report will help organizations approach PCI compliance in a more informed and effective way. Ultimately, we want the same thing as the rest of the industry: fewer payment card losses and data breaches.”
The findings demonstrate that following PCI requirements can reduce the likelihood of a breach. Additionally, to obtain a more in-depth view of the data, Verizon overlaid the findings from payment card breach cases included in the “Verizon 2010 Data Breach Investigations Report” (DBIR) and then analyzed the combined data set for commonalities.
Top findings include:
- Only 22 percent of organizations are compliant initially. Most organizations were not compliant with the PCI requirements at the time of the Initial Report on Compliance, when Verizon QSAs first evaluate an organization against the standard. The majority of the fully compliant organizations were veterans of the process or were not required to comply with all of the requirements.
- Compliance, however, is in reach. While 78 percent of organizations are not compliant initially, the findings show that, on average, organizations meet 81 percent of the procedures required by PCI. In fact, three-quarters of the organizations met at least 70 percent of the testing procedures, meaning that, with more diligence, they have a good chance of becoming compliant. Only 11 percent of organizations met less than half the testing procedures at the time of their initial review.
- Organizations that suffer a breach are 50 percent less likely to have achieved or maintained PCI compliance. At the end of a forensic or data breach investigation, Verizon investigators assess how compliant the organization is with PCI. By reviewing this data against official PCI assessments, Verizon analysts determined that organizations that had a data breach are 50 percent less likely to be compliant with the standard than PCI customers. These findings indicate that PCI compliance can help prevent data breaches.
- There is a correlation between data breaches and the difficulties companies face in complying with certain PCI requirements. Of the 12 requirements that constitute the PCI DSS, three of them — protect stored data, track and monitor access to network resources and cardholder data, and regularly test security systems and processes ? cover areas that are most vulnerable to security breaches, according to the DBIR. However, those three requirements are also the same ones that companies struggle the most to meet for PCI compliance.
Standard Addresses Common Attack Methods
By coupling PCI assessment data with the post-breach analysis, Verizon analysts were able to rank the top attack methods used to compromise payment card data: malware and hacking (25 percent), SQL injections (24 percent) and exploitation of default or guessable credentials (21 percent).
The report found that the PCI requirements address the most common attack methods used to capture cardholder data. In several instances, multiple layers of controls exist across the standard.
“Our findings demonstrate that adherence to PCI DSS requirements can help organizations deter, prevent and detect likely security threats,” Tippett said.
Best practices found in fully compliant organizations include:
- Build security in. Security needs to be built into business processes from the beginning, not added on. Organizations that adhere to this practice typically spend fewer resources and achieve more value from their compliance activities.
- Do not separate compliance and security. Organizations that align compliance and security tend to more easily achieve compliance with security regulations such as PCI DSS. Compliant organizations also tend to have one compliance and security management team, or have two teams that are highly collaborative.
- Treat compliance as a continuous process, not a point-in-time event. Organizations should incorporate PCI activities into their daily business operations. Organizations get into trouble when they approach PCI as a monthly, quarterly or yearly project.
- Control data closely. “Scope creep” ? where companies add activities above and beyond the PCI requirements in an attempt to ensure compliance ? is a common problem with assessment activities. Discovering, tracking and managing data is essential. The larger the scope of the assessment, the more costly and difficult it is for the organization to perform.
A complete copy of the Verizon Payment Card Industry Compliance Report is available at www.verizonbusiness.com/go/pcireport.