Verizon PCI Report: Compliance Weakest Where Continuous Effort Is Required

According to the Verizon 2010 Payment Card Industry Compliance Report, organizations are generally doing a good job meeting most PCI DSS requirements but struggle when they have to engage in continuous security activity, such daily monitoring of logs, according the business analysis of its PCI assessment clients. In addition, Verizon found that organizations that had suffered data breaches of cardholder information performed dismally in terms of compliance with most PCI requirements.

The report found that about a fifth of the organizations included in the analysis were found fully PCI compliant in Verizon's Initial Report on Compliance (IROC) issued after the assessors' site visit. That means that the client passed each one of about 150 tests based on the subsections of the 12 core PCI DSS requirements.

Verizon analysts were surprised the full compliance figure (22 percent) was that high. They found that while some passed more easily because of relatively simple environments (e.g., they didn't have wireless deployments), many successful organizations had passed in previous years and built on their experience to maintain compliance. "What was consistent among these 22 percent was they treated PCI as a lifestyle change," said Jennifer Mack, Verizon's director of global PCI consulting services. "They incorporated it into their daily processes and didn't act with a project mentality."

The report is based on an analysis of about 200 organizations chosen as a cross-section of Level 1 through Level 4 Verizon QSA clients in 2008 and 2009.
The lowest compliance rates were in:

    
Requirement 10 is problematic, the report said, because although organizations generally turn on logging for network devices, they fail to do so for applications and allow logs to be overwritten instead of offloading them for storage. Finally, they are overwhelmed by the requirement to review logs daily.

Organizations performed woefully across all aspects of regularly testing security systems and processes, but failure to perform file integrity was the single greatest failure among the 150 or tests required across the PCI standard. The consistent theme with non-compliance for tracking, monitoring, and regular testing was the failure to apply security practices that require continuous activity.The protection of stored data fared poorly because many organizations encrypt databases but neglect flat files in file shares and other files, such as images, that may contain cardholder data. In addition, organizations have trouble with poor key management practices. As the security adage goes, "Encryption is easy; key management is hard."

By contrast, the highest compliance rate - 70 percent -- was the use and regular updating of antivirus software (Requirement 5). Although antivirus deployment is pervasive, organizations' practices around it, such as timely updates, bring the compliance figure down.

The figures for organizations that had suffered cardholder data breaches were far more dramatic. The analysts drew upon the last two annual Verizon Data Breach Investigation Reports and studied how their security practices matched up against the PCI requirements.

The numbers in the lowest compliance categories are eye-opening, far worse than those of the organizations covered in the PCI report:

    Verizon's Mack said the numbers in the report bear out the potential effectiveness of a sustained security program. "It's an affirmation that we are preaching the right methods, trying to do the right thing to protect data," she said. "These things will work if implemented and maintained. The thing we saw most were people were not doing enough to maintain compliance."