Monday, October 18, 2010

PCI Compliance Report Published

Verizon recently released a second report "2010 Payment Card Industry Compliance Report." The report compliments its annual data breach investigation report. There is some good reading here. It analyzes findings from actual PCI assessments conducted by Verizon. "The report examines the progress of organizations toward the goal of compliance and includes topics such as how and why some seem to struggle more than others." It also has statistics on which PCI DSS requirements and sub-requirements are most and least often in place (or compensated for) during the assessment process.

One finding that matches my own experience -- and that of many Higher Ed institutions -- is that merchants struggle most with three requirements: Requirement 10 (logging), 11 (testing systems), and 3 (protect stored cardholder data).

There were also two conclusions that give more importance to PCI (and argues against some of the PCI skeptics). First, they found that companies that were breached were 50% less likely to be PCI compliant than the overall population of organizations. Secondly, PCI addressed all of the top 10 threats that lead to data compromises. Indeed, for most of the threats PCI offered multiple layers of defense.

One of my favorite quotes is:

[W]e must further draw a distinction between the terms “compliance” and “validation.” Compliance is a continuous process of adhering to the regulatory standard. Validation, on the other hand, is a point-in-time event. It is a state of nature analysis that attempts to measure and describe the level of adherence to the standard. An organization may be able to pass validation in order to “achieve compliance” but then—once the QSA leaves—become lax about maintaining the degree of security the standard is designed to provide over time. [This means that PCI compliance is an ongoing responsibility - not a one-time event.]
Another quote reinforces the value of getting an outside opinion:
Furthermore, these findings demonstrate the importance of external validation against the standard. Most organizations appear overconfident when assessing the state of their security practices. The data also suggests that a significant proportion of these practices tend to erode over time, and that maintaining an ongoing approach to compliance is critical.

[O]rganizations are better at planning and doing than they are at checking. This is important to understand because checking is a prerequisite to acting. If the check phase is broken, organizations cannot react to events, remediate flaws, or maintain the state of security practices over time. [There is more detail on pages 7 and 8, and yes, I know what you're thinking...what else would you expect from a QSA!?! But the point is valid nevertheless: it can be a good idea to get an outside opinion.]
For more information and maybe a different take, good friend and author Anton Chuvakin also wrote about some of the highlights in his blog (click here). You should check it out.

Either way, download the report and have a read. It may contain some good information for your next PCI training (or budgeting?) session.

1 comment:

  1. A fundraiser will be conducted and the volunteers are going to be taking calls and processing credit card information to accept donations, what PCI DSS requirements is the organization under for those volunteers since they are handling payment card information? Do they have to go through any kind of security training such as regular employees?

    Other than PCI DSS compliance, are there other procedural precautions one should take in regards to having a temporary volunteer staff?