State of PCI Compliance: Which Requirements are Weakest

“Cybersecurity” should have been the word of 2017. After years of buildup and increasing media attention, a few massive data breaches and ransomware attacks pushed cybersecurity over the edge and into the average person’s realm of awareness. Many of these breaches exposed not only personal information, but payment card data which is protected by the Payment Card Industry Data Security Standard (PCI DSS).

While compliance has been increasing, Verizon’s most recent Payment Security Report found that only 55.4% of organizations that accept, process or store payment card data (and thus are required to abide by PCI compliance standards) are fully PCI DSS compliant. The 2017 report looked at global data from 2016, specifically analyzing four industries most often covered by PCI compliance standards:

• Financial Services, including insurance, investment, lending, money/asset managers, payment processors and service providers
• Hospitality, including hotels, restaurants and travel and tourism companies
• Retail, including brick and mortar stores as well as eCommerce
• IT Service

There’s a lot of great information in this report, but as a company that helps clients more easily achieve and maintain compliance via our robust PCI compliant virtual desktop solution, we’re most interested in which requirements were falling short and how compliance was trending year over year (in this case, 2015 to 2016).

Fully Compliant

While 100% full compliance is sitting at 55.4% (an increase of 7 percentage points over 2015 and the first time this metric crossed the 50% threshold), compliance varied greatly based on industry. Full compliance ranged from 42.9% for retail to 61.3% for IT Services.

Breaking it down by the individual PCI requirements, the percentages are a little more encouraging.

Overall, compliance with each requirement increased at least a bit from 2015 to 2016, but growth was sporadic, ranging from a 1.5 percentage point increase (Requirement 5) to a 10.4 increase (Requirement 1).

The real evidence in the case for PCI compliance comes when you look at the compliance audits of organizations following a data breach. Break it down requirement-by-requirement and the majority of organizations that suffered a data breach were not in compliance for all but two requirements – regardless of how basic the controls are.

PCI Requirement 1

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

With the current state of cybersecurity, installing and maintaining proper firewalls seems likes something every organization would be rushing to do at a bare minimum. However, when it comes to PCI compliance requirements, this one ranks 8 out of 12 in terms of full compliance.

Full compliance increased 10.4 percentage points since 2015. However, of those organizations that experienced a data breach, 77.2% were found to not be in compliance with Requirement 1.

PCI Requirement 2

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

You wouldn’t hand out copies of your house key to strangers, so why would you leave default passwords in place? These default passwords (and other default security settings) are intended to be changed upon implementation. Since they’re defaults (and thus the same for every user) they’re known to a large number of people – including hackers. Leaving them unchanged leaves your instance at high risk.

Full compliance with Requirement 2 experienced a slight increase (1.6 percentage points) since 2015 and ranks 7 out of 12. Still, the majority of organizations that experienced a data breach were not in compliance with Requirement 2.

PCI Requirement 3

Requirement 3: Protect stored cardholder data

Consumers are becoming increasingly aware of just how vulnerable their personal and payment information is while in the hands of merchants. Leaving data at rest unprotected is a major risk factor and one that will likely eventually lead to a data breach if left unaddressed.

This is made clear by the whopping 80% of organizations that were found to not be in compliance with Requirement 3 during post-breach audits. Unsurprisingly, this requirement comes in second to last when ranked in order of most likely to be fully compliant. Things are only looking slightly up as compliance with this requirement increased by a meager 2 percentage points year over year.

PCI Requirement 4

Requirement 4: Encrypt transmission of cardholder data across open, public networks

According to PCI compliance mandates, payment card data needs to be protected at every stage – collection, storage and transmission. This is particularly important when the data encounters an open, public network where it is particularly vulnerable.

Organizations seem to have caught onto this one and are taking action. It ranks number 4 out of 12 as being most likely to be in full compliance and wasn’t an issue for most organizations that experienced a breach. Compliance in this area continues to grow stronger as well, increasing by 6.6 percentage points.

PCI Requirement 5

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

This is another area that organizations should be hyper vigilant about considering the current rise in malware and ransomware attacks. In reality, it’s a bit of a mixed bag.

It ranks number 2 out of 12 as the most likely requirement to be fully compliant at 92.1%, but for that other 8% it is a major pain point. In data breach instances, this requirement is found to be non-compliant in 64.4% of situations. With the lowest annual increase (1.5 percentage points), it seems like some companies are looking the other way and hoping for the best.

PCI Requirement 6

Requirement 6: Develop and maintain secure systems and applications

Attacks like WannaCry shone a bright light on how neglected this requirement is. Even when security patches are available, organizations and individuals aren’t as diligent about enacting them as they should be. Malicious parties aren’t hesitant about exposing these vulnerabilities, leaving the chances of a data breach extremely high.

Full compliance with this requirement ranks 9 out of 12, proving there’s still a lot of work to do in this area. Organizations are beginning to catch on, with a 7.4 percentage point increase in compliance from 2015 to 2016. There’s still a long way to go though, as evidenced by how often this requirement is in noncompliance when a breach occurs.

PCI Requirement 7

Requirement 7: Restrict access to cardholder data by business need to know

This one should be as simple as enacting and maintaining user-based access and permissions – a basic security protocol. That’s why it’s ranked number 1 of 12 with 93.5 % full compliance.

Companies that don’t pay proper attention to this security measure, though, may find that it’s the source of their data breach woes. Despite being the top requirement in terms of compliance, when a data breach happens this area is found to be in noncompliance 68% of the time. Hopefully those lagging behind will catch up, as compliance with this requirement increased by 6 percentage points recently.

PCI Requirement 8

Requirement 8: Identify and authenticate access to system components

Everyone knows that they’re not supposed to share login credentials, and organizations that want to be PCI compliant need to stress just how important that is. Unique credentials along with enforcing password best practices and using tools like multifactor authentication can help organizations get closer to meeting this requirement.

Requirement 8 comes in towards the top in terms of full compliance (5 out of 12), but organizations that experience a data breach aren’t very likely to be compliant. Things are improving somewhat, with a 3.8 percentage point increase over the past few years.

PCI Requirement 9

Requirement 9: Restrict physical access to cardholder data

This requirement covers several things, but focuses largely on access to hardware and physical devices that may expose data (such as desktops, server rooms and media transfers). Full time employees, seasonal employees, contractors and even visitors can all pose a potential risk if organizations aren’t paying proper attention to who may have access to payment data and the hardware that accesses and stores that data.

Many organizations have a good handle on this requirement. It ranks 4 out of 12 in terms of full compliance and is often in compliance even in data breach situations, with more organizations continuing to come into compliance (2.2 percentage point growth).

PCI Requirement 10

Requirement 10: Track and monitor all access to network resources and cardholder data

This requirement is critical to tracking down vulnerabilities and identifying malicious actors or accounts. Without a log of who is accessing data when and from where it can be nearly impossible to pinpoint an issue, giving malicious actors more time to take advantage of your data.

This requirement comes in right in the middle as number 6 of 12 most likely to be in full compliance. However, it’s the biggest weakness when it comes to post-breach audits, with an astounding 91.9% of companies being non-compliant. To make matters worse, compliance with this requirement is increasing slowly, only growing by 3.8 percentage points from 2015 to 2016.

PCI Requirement 11

Requirement 11: Regularly test security systems and processes

Compliance is not a “one and done” project. In order pass annual audits, compliance and security practices, systems and processes need to be tested at least once a year, but the best companies keep a closer eye on their systems to optimize whenever needed. Fixing smaller issues is much easier than addressing massive problems.

This requirement comes in dead last in terms of most likely to be in full compliance at only 72%. It also may be leaving organizations vulnerable to data breaches, as 83.6% of organizations that experienced a breach didn’t meet this requirement. With numbers like this, growth could stand to be stronger than its current 3.2 percentage point increase.

PCI Requirement 12

Requirement 12: Maintain a policy that addresses information security for all personnel

Documenting security and compliance processes, practices and procedures is a critical part of ensuing all employees understand expectations. It’s also an important element to ensure security and compliance don’t lap during personnel turnover. While tedious, it’s far from the most difficult requirement within PCI DSS.

Despite its relative ease, it’s 10 out of 12 most likely to be fully compliant and an issue for 80% of organizations that experience a breach. Big strides have been made recently though, with this requirement seeing a 7.4 percentage point increase in compliance.

Achieving PCI Compliance

If achieving compliance in-house poses challenges, consider seeking vendors that offer compliant solutions. This can be a particularly helpful tactic with IT service providers, as 61.3% of those vendors were found to be in full compliance and may be able to extend some of those practices to your organization.

The key when assessing a vendor of a PCI compliant solution is to ask for their PCI responsibilities matrix. Just because an organization itself has achieved compliance doesn’t mean the solutions or services they’re providing were also audited for compliance (more on that in Understanding PCI Compliant Desktops). The responsibilities matrix will give you a clear understanding of which controls are your responsibility, which are covered by the vendor/solution and which are shared. (For help tracking control ownership on your own as you vet potential partners, download the PCI Compliance Responsibilities Checklist.)

Whether you handle everything in house or partner with vendors that can help you achieve PCI DSS compliance, maintaining compliance isn’t an option. Ignoring any one of these 12 requirements leaves organizations vulnerable to a breach and subsequent ramifications and as the data above proves, there’s still a long way to go in making PCI compliance a high adoption practice.

You may also like:

• • Why the Entire C-Suite Should Care About Cybersecurity
  • How to Make Your Virtual Desktops PCI Compliant
  • [Quiz] Does Your Company Need Virtual Desktops?