According to Verizon’s 2015 PCI Compliance Report, four out of five companies responsible for adhering to the PCI standards were falling below compliance at some point during the year. If that sounds like an alarming number, it is. But even more disturbing is that Verizon has been publishing this report since 2010, and while some of the metrics have improved, the overall state of the industry has not.
Unfortunately, this report reflects what most security professionals already know. There are really no surprises in the Verizon findings from this year – they’re in essence the same as in previous years, and the same as in every other “state of the InfoSec industry” report. Laid out in black and white (and red) for all to see, the repeated unfavorable and concerning findings in this report clearly has not inspired many companies to make a concerted effort to be compliant or secure.
Getting to the Root of the Problem
So what’s going on here? Why are so many companies failing in their security efforts? We believe this is due in part to the self-reporting nature of PCI compliance requirements. Unless a merchant processes extremely large volumes of credit cards (e.g., Target), a company’s PCI compliance status is measured and reported by the company’s responses to a questionnaire as opposed to an independent audit. But in many cases, questionnaires are being submitted to acquiring banks that indicate a company is compliant with the PCI DSS, when in fact it is not compliant. The reason is that respondents often (in good faith) misinterpret what the question is asking or improperly scope their PCI cardholder data environment, which leads to an incorrect answer on the questionnaire. Further, because companies know that non-compliance can lead to fines and penalties (or job loss for the responsible party), it’s tempting to judge one’s own security controls as compliant, even if they’re falling short. But of more concern is the nature of compliance itself.
A ‘compliant’ security program is by definition a tactical one, checking off boxes to avoid incurring fees or the wrath of a regulator. If you think of cyber theft as an organism attacking your house, you will agree that protecting your house from hackers and malware involves more than just ‘locking windows and doors.’ Thieves invent a variety of means to seep into your enterprise, and keeping them out requires a holistic approach that addresses all imaginable forms of entry or compromise—on an ongoing basis.
Checking off boxes to be compliant simply doesn’t cut it, and might even have the opposite effect. By taking this attitude toward compliance, the senior management team of a company may see the “compliant” status on the questionnaire and erroneously think they’re protected against security threats and breaches when they’re really not. And any time management is making decisions with flawed data, undesirable results will likely follow.
Another significant challenge security teams face is convincing the powers-that-be to divert precious company resources to security, especially when revenue-generating initiatives are competing for the same dollar. Security folks tend to think (and communicate) in bits and bytes, so asking management teams for security funding (at the expense of growth opportunities) often goes unheeded. Non-IT executives tend to think more in terms of business than the technology that drives it, leaving compliance as a policing function for IT to perform—and pay for on an inadequate budget.
Breaking Out of a Compliance Mindset
Reports across the industry indicate that cyber theft is on the rise. But we don’t need reports to tell us that. Ask any security professional, and he or she will tell you: thieves are getting smarter and attacks are becoming more challenging to fend off.
The spirit of PCI DSS is about protecting credit card information, rather than getting a good grade on a report card. If the thieves are getting smarter, we need to get smarter, too. A good security program will include regular evaluation, as well as ongoing monitoring and analysis that responds effectively to the current threat environment. And smart security professionals will look for ways to communicate security risks and issues in a style and manner that rings true with their management team.
As of December 31, 2014, the PCI Security Standards Council required that all merchants migrate to PCI DSS Version 3.0. Releasing this updated version is the Council’s effort to—among other things—‘align with changes in industry best practices, manage evolving risk and provide a stronger focus on some of the greater risk areas in the threat environment.’ While these directives come from the Council, businesses accepting credit cards would be wise to adopt them as their own. The first step in improving industry-wide compliance is to break out of a compliance-only mindset and put muscle behind a data security program that does the job it’s supposed to do.
LBMC Information Security reviews compliance efforts, can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.
Get a Quote for PCI Services
Ready to move ahead with your PCI project? Answer 9 questions and get a quote for your PCI compliance needs.
Download LBMC's PCI Compliance Guide
Download our guide, PCI Compliance Guidelines Explained, for more ways to stay up to date with PCI compliance for your firm.