At the last PCI Community meeting, my friend Ciske Van Ossten, Global Intelligence Manager, Verizon PCI Security Practice, introduced his last Verizon Compliance Report that I summarise here under for your eyes only!
Key Notes
- PCI Compliance is actually improving worldwide across the industries.
- Majority of organisations struggle to implement resilient control environments to maintain compliance all year around.
- The skills and experiences that you need and the know-how to design and implement controls that are effective and sustainable to protect your data is huge.
- More organisations are deploying tokenisation to reduce their scope.
- It is not specifically the failure of security technology that actually leads to compromise. It is the way through which you approach it. It is the proficiency with which the technology is deployed and maintained that create exposure and lead to data breaches.
- Attacks happen literally in seconds but containing those attacks take days or longer.
- Req 7 has the highest compliance rate with 89% of organisations achieving 100% of compliance
- Req 8 is the control that shows the highest year-to-year improvement.
- Req 11is by far the lowest compliance and the unique drop in compliance rate since previous year.
Correlation PCI Compliance - Data breaches
- Of all the payment card data breaches that Verizon has investigated over the past 10 years not a single organisations was PCI compliant at the time of the breach. They failed PCI controls that were material for the breaches.
- Being fully PCI compliant does not guarantee security.
- Companies that do not maintain compliance have significant increase exposure with data breaches.
Requirements showing high correlation with data breaches
- Req 6: Maintain secure systems - Patching
- Req 7: Authorisation. Breach victims struggle with the concept of least-privilege access much more than other organizations. Breached companies were equally bad at authenticating access [Requirement 8]
- Req 10: Logging & Monitoring. Exhibit poor logging and monitoring are likely to take longer to spot breaches, giving criminals more time to do more damage. Many breaches go undetected for months or even years.
- Req 11: Testing. Just 33% of organizations passed all the testing procedures. In the group of breached companies this came down to just 9% of companies passing.
- Req 12: Lack of Governance.
Requirements showing low correlation with data breaches
- Requirements 4 and 9 are not surprising: few, if any, large organizations transmit sensitive data in the clear over the internet, or leave hard drives out for the taking. Even fewer breaches occur due to such mistakes.
- It’s surprising that Requirement 2 [Basic security hardening] isn’t a more significant differentiator between breached and non-breached organizations.
About Maintaining Compliance
- Only 12% of organisations maintained full compliance over the last 3 years
- 20% of organisations maintain full compliance.
- 80% of organisations failed to maintain full compliance all year-round.
- Two-third fall off compliance between 2 and 9 months of their annual validation.
- The average of controls in place in organisation is 94%. So it is only 6% of controls that causes organisations problems but It is the type of controls on which they failed that is of concerns:
- Req 2: due to the difficulties of maintaining system configuration documentation upon system changes and Req 10, 5 and 1.
About Compensation Controls
- 67% of organisations use compensating controls for Req 8.
- 2/3 of the compensating controls addresses technical constraints:
- operating systems or applications which have a limitation that prevents or hampers the implementation of a particular control
- infrastructure, architecture issues.
- third-party vendors placing restrictions on the use and modification of specific system configurations as part of their services agreement
- 1/3 of the compensating controls addresses business contraints:
- internal operational limitations preventing the implementation of a required compliance procedure
- financial or resource restrictions.
- legal or contractual restrictions
About the Pain Points
Req 1
Nearly a quarter of companies still failed to comply with control 1.1. Companies often interpret this control as simply requiring a dump of the firewall rules with an associated change ticket. They fail to document the security features enabled for each insecure service used, which requires mapping all the services in use.
To comply with control 1.1 companies must have a thorough understanding of the flow of data, and few do.
Most people focus on inbound rules and pay insufficient attention to outbound rules.
There are still a significant number of organizations that produce poorly documented network and CHD flow diagrams.
Req 2
Req 8
Req10
Req 11
Nearly a quarter of companies still failed to comply with control 1.1. Companies often interpret this control as simply requiring a dump of the firewall rules with an associated change ticket. They fail to document the security features enabled for each insecure service used, which requires mapping all the services in use.
To comply with control 1.1 companies must have a thorough understanding of the flow of data, and few do.
Most people focus on inbound rules and pay insufficient attention to outbound rules.
There are still a significant number of organizations that produce poorly documented network and CHD flow diagrams.
Req 2
- Companies are struggling to maintain the configuration of their system landscape.
- Most problematic controls concern the maintenance of the environment in line with its intended documented state and vice versa.
- Data held without a valid business need.
- Data stored beyond guidelines defined in official retention policies.
- Misconfigured systems unintentionally storing data.
- Using insecure cryptographic protocols (like SSL 2.0) or weak keys.
- Employees sending/receiving CHD in clear text via email or chat
- 6.2 - Keeping up with Patches installation is the biggest issue within this requirement.
Req 8
- 8.2 (Ensure proper user authentication) has been found the least in place for this specific requirement
- 8.5 (Do not use group, shared, or generic accounts and passwords, or other authentication methods.)
Req10
- 10.4.1 [Critical systems have the correct and consistent time],
- 10.4.2 [Time data is protected]
- 10.6 [Review logs and security events for all system components to identify anomalies or suspicious activity] also tripped up 8.9% of the companies that we looked at. Companies don’t normally have a problem creating the logs, it’s analyzing them automatically and efficiently that they find a challenge.
Req 11
- Lack of accountability: Organisations lose track of scanning when people change roles or leave the company and the responsibility for managing scanning isn’t handed over properly.
- Ignoring the need to scan internally:Organisations wrongly believe that passing an external scan is sufficient and their firewalls prevent any other form of threat.
- Being unable to present reports:We’ve seen many cases of organisations notable to produce scan results because they’ve lost access to a former ASV’s online portal, or they’ve simply lost them. Consistent record keeping is an important part of PCI DSS compliance and being unable to produce documentation is just not acceptable.
- Lack of documented and applied and tested Incident Response Plan