Verizon PCI DSS Compliance Study: breached entities 50% less likely to be compliant
A new report from Verizon Business shows that following industry security standards can dramatically reduce such incidents.
In a first-of-its-kind “Verizon Payment Card Industry Compliance Report,” the company examined compliance with the Payment Card Industry Data Security Standard (PCI DSS), which was created in 2006 to protect cardholder data and reduce credit card fraud. Company investigators found that breached organizations are 50 percent less likely to be PCI compliant and that only 22 percent of organizations were PCI compliant at the time of their initial examination.
In addition to assessing the effectiveness of the PCI DSS standards, the report identifies which attack methods are most common and provides recommendations for businesses on earning and maintaining PCI compliance.
Some of the key findings:
- 22% of organizations were validated compliant at the time of their Initial Report on Compliance (IROC). These tended to be year after year repeat clients.
- On average, organizations met 81% of all test procedures defined within PCI DSS at the IROC stage. Naturally, there was some variation around this number but not many (11% of clients) passed less than 50% of tests.
- Organizations struggled most with requirements 10 (track and monitor access), 11 (regularly test systems and processes), and 3 (protect stored cardholder data).
- Requirements 9 (restrict physical access), 7 (restrict access to need-to-know), and 5 (use and update anti-virus) showed the highest implementation levels.
- Overall, organizations that suffered a data breach were 50% less likely to be compliant than a normal population of PCI clients.
- All of the top 10 threat actions leading to the compromise of payment card data are well within scope of the PCI DSS. For most of them, multiple layers of relevant controls exist across the standard that mitigate risk posed by these threat actions.
In light of some of the hospitality sector breaches, I was especially curious as to what they would find with respect to vendor defaults:
Default passwords, settings, and configurations are common attack points for hackers because they are such easy fare. As evidenced by the 48% that initially passed Requirement 2, many organizations have difficulty eliminating them. There were three big reasons clients didn’t have more success with this requirement: they didn’t sufficiently harden systems by turning off extra services (2.2.2) and functionality (2.2.4), they didn’t document why certain services and functions could not be removed due to business reasons (as required by 2.2.2 and 2.2.4), and they didn’t encrypt all non-console admin traffic (2.3).
You can read more of the findings and their recommendations on Verizon’s site.