“Cybersecurity” should have been the word of 2017. After years of buildup and increasing media attention, a few massive data breaches and ransomware attacks pushed cybersecurity over the edge and into the average person’s realm of awareness. Many of these breaches exposed not only personal information, but payment card data which is protected by the Payment Card Industry Data Security Standard (PCI DSS).
While compliance has been increasing, Verizon’s most recent Payment Security Report found that only 55.4% of organizations that accept, process or store payment card data (and thus are required to abide by PCI compliance standards) are fully PCI DSS compliant. The 2017 report looked at global data from 2016, specifically analyzing four industries most often covered by PCI compliance standards:
There’s a lot of great information in this report, but as a company that helps clients more easily achieve and maintain compliance via our robust PCI compliant virtual desktop solution, we’re most interested in which requirements were falling short and how compliance was trending year over year (in this case, 2015 to 2016).
While 100% full compliance is sitting at 55.4% (an increase of 7 percentage points over 2015 and the first time this metric crossed the 50% threshold), compliance varied greatly based on industry. Full compliance ranged from 42.9% for retail to 61.3% for IT Services.
Breaking it down by the individual PCI requirements, the percentages are a little more encouraging.
Overall, compliance with each requirement increased at least a bit from 2015 to 2016, but growth was sporadic, ranging from a 1.5 percentage point increase (Requirement 5) to a 10.4 increase (Requirement 1).
The real evidence in the case for PCI compliance comes when you look at the compliance audits of organizations following a data breach. Break it down requirement-by-requirement and the majority of organizations that suffered a data breach were not in compliance for all but two requirements – regardless of how basic the controls are.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
With the current state of cybersecurity, installing and maintaining proper firewalls seems likes something every organization would be rushing to do at a bare minimum. However, when it comes to PCI compliance requirements, this one ranks 8 out of 12 in terms of full compliance.
Full compliance increased 10.4 percentage points since 2015. However, of those organizations that experienced a data breach, 77.2% were found to not be in compliance with Requirement 1.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
You wouldn’t hand out copies of your house key to strangers, so why would you leave default passwords in place? These default passwords (and other default security settings) are intended to be changed upon implementation. Since they’re defaults (and thus the same for every user) they’re known to a large number of people – including hackers. Leaving them unchanged leaves your instance at high risk.
Full compliance with Requirement 2 experienced a slight increase (1.6 percentage points) since 2015 and ranks 7 out of 12. Still, the majority of organizations that experienced a data breach were not in compliance with Requirement 2.
Requirement 3: Protect stored cardholder data
Consumers are becoming increasingly aware of just how vulnerable their personal and payment information is while in the hands of merchants. Leaving data at rest unprotected is a major risk factor and one that will likely eventually lead to a data breach if left unaddressed.
This is made clear by the whopping 80% of organizations that were found to not be in compliance with Requirement 3 during post-breach audits. Unsurprisingly, this requirement comes in second to last when ranked in order of most likely to be fully compliant. Things are only looking slightly up as compliance with this requirement increased by a meager 2 percentage points year over year.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
According to PCI compliance mandates, payment card data needs to be protected at every stage – collection, storage and transmission. This is particularly important when the data encounters an open, public network where it is particularly vulnerable.
Organizations seem to have caught onto this one and are taking action. It ranks number 4 out of 12 as being most likely to be in full compliance and wasn’t an issue for most organizations that experienced a breach. Compliance in this area continues to grow stronger as well, increasing by 6.6 percentage points.
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
This is another area that organizations should be hyper vigilant about considering the current rise in malware and ransomware attacks. In reality, it’s a bit of a mixed bag.
It ranks number 2 out of 12 as the most likely requirement to be fully compliant at 92.1%, but for that other 8% it is a major pain point. In data breach instances, this requirement is found to be non-compliant in 64.4% of situations. With the lowest annual increase (1.5 percentage points), it seems like some companies are looking the other way and hoping for the best.
Requirement 6: Develop and maintain secure systems and applications
Attacks like WannaCry shone a bright light on how neglected this requirement is. Even when security patches are available, organizations and individuals aren’t as diligent about enacting them as they should be. Malicious parties aren’t hesitant about exposing these vulnerabilities, leaving the chances of a data breach extremely high.
Full compliance with this requirement ranks 9 out of 12, proving there’s still a lot of work to do in this area. Organizations are beginning to catch on, with a 7.4 percentage point increase in compliance from 2015 to 2016. There’s still a long way to go though, as evidenced by how often this requirement is in noncompliance when a breach occurs.
Requirement 7: Restrict access to cardholder data by business need to know
This one should be as simple as enacting and maintaining user-based access and permissions – a basic security protocol. That’s why it’s ranked number 1 of 12 with 93.5 % full compliance.
Companies that don’t pay proper attention to this security measure, though, may find that it’s the source of their data breach woes. Despite being the top requirement in terms of compliance, when a data breach happens this area is found to be in noncompliance 68% of the time. Hopefully those lagging behind will catch up, as compliance with this requirement increased by 6 percentage points recently.
Requirement 8: Identify and authenticate access to system components
Everyone knows that they’re not supposed to share login credentials, and organizations that want to be PCI compliant need to stress just how important that is. Unique credentials along with enforcing password best practices and using tools like multifactor authentication can help organizations get closer to meeting this requirement.
Requirement 8 comes in towards the top in terms of full compliance (5 out of 12), but organizations that experience a data breach aren’t very likely to be compliant. Things are improving somewhat, with a 3.8 percentage point increase over the past few years.
Requirement 9: Restrict physical access to cardholder data
This requirement covers several things, but focuses largely on access to hardware and physical devices that may expose data (such as desktops, server rooms and media transfers). Full time employees, seasonal employees, contractors and even visitors can all pose a potential risk if organizations aren’t paying proper attention to who may have access to payment data and the hardware that accesses and stores that data.
Many organizations have a good handle on this requirement. It ranks 4 out of 12 in terms of full compliance and is often in compliance even in data breach situations, with more organizations continuing to come into compliance (2.2 percentage point growth).
Requirement 10: Track and monitor all access to network resources and cardholder data
This requirement is critical to tracking down vulnerabilities and identifying malicious actors or accounts. Without a log of who is accessing data when and from where it can be nearly impossible to pinpoint an issue, giving malicious actors more time to take advantage of your data.
This requirement comes in right in the middle as number 6 of 12 most likely to be in full compliance. However, it’s the biggest weakness when it comes to post-breach audits, with an astounding 91.9% of companies being non-compliant. To make matters worse, compliance with this requirement is increasing slowly, only growing by 3.8 percentage points from 2015 to 2016.
Requirement 11: Regularly test security systems and processes
Compliance is not a “one and done” project. In order pass annual audits, compliance and security practices, systems and processes need to be tested at least once a year, but the best companies keep a closer eye on their systems to optimize whenever needed. Fixing smaller issues is much easier than addressing massive problems.
This requirement comes in dead last in terms of most likely to be in full compliance at only 72%. It also may be leaving organizations vulnerable to data breaches, as 83.6% of organizations that experienced a breach didn’t meet this requirement. With numbers like this, growth could stand to be stronger than its current 3.2 percentage point increase.
Requirement 12: Maintain a policy that addresses information security for all personnel
Documenting security and compliance processes, practices and procedures is a critical part of ensuing all employees understand expectations. It’s also an important element to ensure security and compliance don’t lap during personnel turnover. While tedious, it’s far from the most difficult requirement within PCI DSS.
Despite its relative ease, it’s 10 out of 12 most likely to be fully compliant and an issue for 80% of organizations that experience a breach. Big strides have been made recently though, with this requirement seeing a 7.4 percentage point increase in compliance.
If achieving compliance in-house poses challenges, consider seeking vendors that offer compliant solutions. This can be a particularly helpful tactic with IT service providers, as 61.3% of those vendors were found to be in full compliance and may be able to extend some of those practices to your organization.
The key when assessing a vendor of a PCI compliant solution is to ask for their PCI responsibilities matrix. Just because an organization itself has achieved compliance doesn’t mean the solutions or services they’re providing were also audited for compliance (more on that in Understanding PCI Compliant Desktops). The responsibilities matrix will give you a clear understanding of which controls are your responsibility, which are covered by the vendor/solution and which are shared. (For help tracking control ownership on your own as you vet potential partners, download the PCI Compliance Responsibilities Checklist.)
Whether you handle everything in house or partner with vendors that can help you achieve PCI DSS compliance, maintaining compliance isn’t an option. Ignoring any one of these 12 requirements leaves organizations vulnerable to a breach and subsequent ramifications and as the data above proves, there’s still a long way to go in making PCI compliance a high adoption practice.
Nov 08, 2018
Learn how Dizzion helped Mindseeker create a secure, HIPAA compliant, easily scalable environment for remote medical coders. READ MORE
Nov 01, 2018
Virtual desktops benefit everyone in an organization, but these three personas stand to gain the most and should be the biggest proponents. READ MORE
Oct 23, 2018
Schools hold a lot of payment care data and personal health information, but being PCI and HIPAA compliant doesn’t have to be difficult. READ MORE