Blog post

Highlights From Verizon PCI Report 2014

By Anton Chuvakin | February 13, 2014 | 0 Comments

securityPCI DSScompliance

Separate from the Data Breach Investigations Report (latest was in 2013), Verizon PCI report is another awesome resource for security practitioners. Grab your copy here [PDF]!

Here are some of my favorite quotes (with my own bold emphasis):

  • Organizations that are breached tend to be less compliant with PCI DSS than the average of organizations in our research.” (just as in their past PCI 2011 report, this line serves as one data point that *PCI DSS works*)
  • “… while the PCI standards are imperfect, they have evolved to clarify their expectations and address feedback from the industry, and today they provide an increasingly mature framework for organizations to work toward.”
  • “The vast majority of organizations are still not sufficiently mature in their ability to implement and maintain a quality, sustainable PCI Security compliance program.”
  • “According to our research, only around one in ten organizations were fully compliant with PCI DSS 2.0 at the time of their baseline assessment.” (how few were compliant 1 month after? 3 months? 6 months?)
  • “… we feel that as organizations begin to prepare for validation, they will start to realize how significant a step forward DSS 3.0 is
  • “Around one in five organizations came close to complying — they passed 95%+ of controls. Of these organizations, more than half failed Requirement 11” (so The New Evil Req is 11, not 10. How about that?)
  • “According to the 2013 DBIR, of all the breaches studied by the Verizon Investigative Response team, not a single one involved cardholder data “in transit” between systems.” (Of course, PCI DSS covers data in motion and at rest, but so far the criminals like it at rest. Or, in fact, in use at the swipe machine!)
  • “[automated data discover such as via DLP] isn’t a requirement yet, but we’d recommend that organizations adopt this approach to keep their customer’s data is safe and simplify their compliance maintenance efforts.”
  • “Patch management and associated vulnerability management processes represent the biggest problem areas, because they’re rarely well documented and automated.” (I know, I know 1998 called and it wants its problem back…)
  • “Consistent and complete audit trails can also significantly reduce the cost of a breach. A large part of post-compromise cost is related to the number of cards thought to be exposed. Lack of conclusive log information reduces the forensic investigator’s ability to determine whether the card data in the environment was exposed only partially or in full.” (the point that I’ve been making since … ahem…2005. It still rings true; and it is still NEW to some people…)
  • “Only 9.4% of organizations that our RISK team investigated after a data breach was reported were compliant with Requirement 10. By comparison, our QSAs found 31.7% compliance with Requirement 10. This suggests a correlation between the lack of effective log management and the likelihood of suffering a security breach.” (!!!!!!!)
  • “Incorporating IOC intelligence into your security regime [specifically, into automated log review – A.C.] can help you spot malicious activity on systems more quickly, preventing a breach from happening or at least stopping it in its early stages.”
  • “During post-breach investigations, our RISK team found that just 13.2% of organizations were compliant with this requirement [Requirement 11]. […] Requirement 11 was the least complied-with requirement in our study.” (the most basic, foundational, clearly spelled our req that goes back to MasterCard SDP in 2001?! WTH is wrong with you, Universe!! :-)]
  • “Our data shows that many organizations fail to comply with penetration-testing controls.” [so, they don’t just get a #ScumbagPenTester to do it, they just don’t do it AT ALL?]
  • “Often our QSAs are given a penetration-testing report only to find that the organization hasn’t even read it.”
  • “Our experience suggests that many companies still treat compliance as a one-off annual scramble that the security team owns and the rest of the business begrudges.”
  • “Instead of seeing PANs and other card data as just fields in a database, every employee should be taught to see them as valuable corporate assets worthy of protection and due care.”

My biggest surprise this year?! Unquestionably, this: “Requirement 11 was the least complied-with requirement in our study.”

Overall, an excellent piece of fact-based research on PCI DSS implementation problems and achievements!

Related posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed