Update: Richard Santalesa of the Sm@rtedgeLaw Group was interviewed by Eric Parizo of SearchSecurity.com for the story Verizon PCI report: Pen testing, passwords cause PCI assessment gaffes to discuss PCI and the 2014 Verizon PCI Compliance Report.
Verizon’s 2014 PCI Compliance Report (“PCR”) is now available for free download in “pre-release.” Along with Verizon’s annual and influential Data Breach Investigations Report (DBIR) the two reports often paint a disheartening picture of the state of information and data security.
In the wake of the mammoth Target breach, we may be looking at a “Titanic sinking” level-event for the data security, privacy, infosec and PCI-DSS communities. Certainly not in the sense of loss of life, but in the sense that the Titanic tragedy generated significant Senate Commerce Committee hearings over 17 days that resulted in 1,100 transcript pages, a comprehensive final report and recommendations that led to significant structure improvements in shipping (i.e., establishing the International Ice Patrol) and legislated safety (including sufficient lifeboats/life jackets for all passengers, mandatory searchlights, 24×7 radio operators on duty, etc.). The ultimate resolution of the Target breach may be a sea change in approaching PCI-DSS, accelerated movement to EMV “chip-and-pin” or “chip-and-signature” debit/credit cards and other changes.
And the 2014 Verizon PCI Compliance Report highlights just why changes are needed. Notably the PCR focuses on DSS 2.0 since updated PCI-DSS 3.0 standards, released in Nov. 2013, only went into effect only last month on Jan. 1, 2014 and actual enforcement of 3.0 standards begin as of Jan. 1, 2015.
2014 PCI MILESTONES
• The PCI Data Security Standard (DSS) turns ten years old
• DSS 3.0 becomes effective and validation assessments start 1/1/2014
• DSS 2.0 expires and compliance validation against version 3.0 becomes mandatory 12/31/2014
Some shudder-inducing findings from the PCR include:
- Credit card fraud exceeded $11.2 billion in 2012, up from approximately $3 billion in 2000
- Only around 1 in 10 organizations were fully compliant with PCI DSS 2.0 at the time of their baseline assessment
- Only 11.1% of companies passed all 12 PCI requirements in 2013
In response to this dismal picture, the PCR recommends 5 key approaches to PCI compliance:
- Don’t underestimate the [time and] effort involved in becoming PCI compliant. We can’t stress THIS recommendation enough. We’ve repeatedly seen good-faith-estimates for time to completion of even “simple” projects significantly underestimate the time/effort required. The PCR balefully notes that only 11% of companies assessed in 2013 were fully compliant with all 12 PCI-DSS 2.0 requirements (with, Reg. 11, Regularly test security systems and processes, being a particularly widespread bugaboo for many). Further, while the “good news” is that year-over-year full compliance, according to Verizon, increased from 7.5% in 2012, a look at the Verizon 2010 PCR indicates that per methodology used in 2010 Verizon found that 22% of companies were “validated compliant with the PCI DSS at the time of their IROC [Initial Report on Compliance].”
- Make compliance sustainable. The PCR notes “there are thousands of tasks that an organization must complete throughout the year to stay compliant. * * * compliance needs to be embedded in ‘business as usual’ as an ongoing process.” There’s no free lunch or quick fix for PCI compliance. But this brings to mind “Privacy by Design,” which the FTC has repeatedly recommended as a “best practice” in recent privacy-related guidelines and reports. (See our coverage of the FTC’s Mobile App Privacy Disclosure, and Privacy Framework). To be effective long-term, security and privacy practices and procedures must be “baked into” the fiber of company practices – otherwise the chances of a potentially shattering oversight greatly increase.
- Think of compliance [with PCI-DSS] in a wide context. Again, Verizon’s PCR reiterates that PCI compliance isn’t a “one-and-done” event. Rather it needs to part and parcel of any entity’s broader governance, risk, and compliance strategies. Achieving PCI compliance should dovetail with and enhance other aspects of risk management, compliance, information security while raising employee awareness of proper data security and data handling hygiene.
- Leverage compliance as an opportunity. Many view the time, expense and effort of PCI compliance as purely a negative burden. That’s a glass half-empty approach. Approaching PCI-related security compliance mandates with the view that it can drive enterprise-wide process and security improvements and generate additional equity – if only by keeping you out of the news, the courts and away from state and federal regulators – is a more palatable and productive philosophy.
- Focus on “scoping”. Effective PCI programs require a “clear definition of the systems, processes, and people that store, process, or access cardholder data.” Reducing the “scope” of your IT infrastructure to be validated can be a huge time and expense saver PROVIDED you don’t short change “non-PCI” security measures, systems or procedures safeguarding personally identifiable information (“PII”) and other data.
In short, the 2014 PCR is a valuable starting point for discussions by and between those responsible for legal issues, infosec, IT infrastructure, risk management, employee training, compliance and C-level execs or other parties involved in data security. To discuss the 2014 PCI Compliance Report or your own PCI, infosec or other data security needs feel free to contact us at 203 3070-2655 or by email at firstname.lastname@example.org