Here are some of my favorite quotes (with my own bold emphasis):
- “Organizations that are breached tend to be less compliant with PCI DSS than the average of organizations in our research.” (just as in their past PCI 2011 report, this line serves as one data point that *PCI DSS works*)
- “… while the PCI standards are imperfect, they have evolved to clarify their expectations and address feedback from the industry, and today they provide an increasingly mature framework for organizations to work toward.”
- “The vast majority of organizations are still not sufficiently mature in their ability to implement and maintain a quality, sustainable PCI Security compliance program.”
- “According to our research, only around one in ten organizations were fully compliant with PCI DSS 2.0 at the time of their baseline assessment.” (how few were compliant 1 month after? 3 months? 6 months?)
- “… we feel that as organizations begin to prepare for validation, they will start to realize how significant a step forward DSS 3.0 is”
- “Around one in five organizations came close to complying — they passed 95%+ of controls. Of these organizations, more than half failed Requirement 11” (so The New Evil Req is 11, not 10. How about that?)
- “According to the 2013 DBIR, of all the breaches studied by the Verizon Investigative Response team, not a single one involved cardholder data “in transit” between systems.” (Of course, PCI DSS covers data in motion and at rest, but so far the criminals like it at rest. Or, in fact, in use at the swipe machine!)
- “[automated data discover such as via DLP] isn’t a requirement yet, but we’d recommend that organizations adopt this approach to keep their customer’s data is safe and simplify their compliance maintenance efforts.”
- “Patch management and associated vulnerability management processes represent the biggest problem areas, because they’re rarely well documented and automated.” (I know, I know 1998 called and it wants its problem back…)
- “Consistent and complete audit trails can also significantly reduce the cost of a breach. A large part of post-compromise cost is related to the number of cards thought to be exposed. Lack of conclusive log information reduces the forensic investigator’s ability to determine whether the card data in the environment was exposed only partially or in full.” (the point that I’ve been making since … ahem…2005. It still rings true; and it is still NEW to some people…)
- “Only 9.4% of organizations that our RISK team investigated after a data breach was reported were compliant with Requirement 10. By comparison, our QSAs found 31.7% compliance with Requirement 10. This suggests a correlation between the lack of effective log management and the likelihood of suffering a security breach.” (!!!!!!!)
- “Incorporating IOC intelligence into your security regime [specifically, into automated log review – A.C.] can help you spot malicious activity on systems more quickly, preventing a breach from happening or at least stopping it in its early stages.”
- “During post-breach investigations, our RISK team found that just 13.2% of organizations were compliant with this requirement [Requirement 11]. […] Requirement 11 was the least complied-with requirement in our study.” (the most basic, foundational, clearly spelled our req that goes back to MasterCard SDP in 2001?! WTH is wrong with you, Universe!! :-)]
- “Our data shows that many organizations fail to comply with penetration-testing controls.” [so, they don’t just get a #ScumbagPenTester to do it, they just don’t do it AT ALL?]
- “Often our QSAs are given a penetration-testing report only to find that the organization hasn’t even read it.”
- “Our experience suggests that many companies still treat compliance as a one-off annual scramble that the security team owns and the rest of the business begrudges.”
- “Instead of seeing PANs and other card data as just fields in a database, every employee should be taught to see them as valuable corporate assets worthy of protection and due care.”
My biggest surprise this year?! Unquestionably, this: “Requirement 11 was the least complied-with requirement in our study.”
Overall, an excellent piece of fact-based research on PCI DSS implementation problems and achievements!
- Verizon DBIR 2013 Highlights and Favorites
- PCI Report 2011 and PCI Community Meeting 2011
- THE “PCI Compliance” book, 3rd edition (4th coming soon)
Read Complimentary Relevant Research
Three Critical Factors in Building a Comprehensive Security Awareness Program
Three key elements form the foundation of a successful awareness education program: knowledge of audiences, pervasive and continuous...
View Relevant Webinars
IoT for Midsize Enterprises
IoT innovation can deliver growth and product improvement - two of the top business priorities cited by CEOs of midsize enterprises in...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.