If you ever endeavour getting data about the compliance rate from PCIco or the Payment Brands you would know how challenging it is, probably more challenging than finding the Holy Grail. So in this context the release of the Verizon 2011 Payment Card Industry Compliance Report is quite enlightening for the security industry and merchant community. It gives us a good sense of reality of the field.

Compliance versus Security

We already knew that achieving compliance is not a simple matter but Verizon’s findings emphasize that not only companies are struggling getting compliance but it seems even harder for them to keep their compliance status year after year. Achieving compliance definitely doesn’t mean maintaining compliance. There is no direct relationship between passing a point-in-time validation and being able to maintain compliance.

If overconfidence, complacensy and fatigue (or routine) are the common Achille heels generating this situation, the major cause is clearly the lack of aligment between the compliance and security process inside the organizations. “Keeping compliance and security apart doesn’t make sense from either a compliance and security perspective”. According to Verizon’s report organizations in which compliance and security functions are completely separate meet on average 25 percent less results.

Furthermore the report underlines that as time goes by, compliance with the standards gets harder as PCIco gives clarification and guidance on interpreting the standards often narrowing and redefining acceptables practices. 

The report also clearly emphasizes that an organization that has worked security in their daily process can more easily achieve and maintain compliance than one that is performing them merely to meet a validation effort. Organizations that build security into their core processes generaly spend less and achieve more when it comes to validating compliance.  If an organization truly and consistently strives to be secure then it should not require a giant leap to be compiant, they will be compliant as a matter of fact.

The secret to compliance

According to Verizon the secret for maintaining compliance lies largely in treating it as a daily part of conducting business.  Exactly as ones would consider security. So one could reinterprete this statement by “The secret to achieving and staying in compliance with PCI DSS is NOT to look to it from the checklist perspective but rather to consider it as a whole part of your daily security assignments”. This is the only way out. 

These considerations clearly validate and sustain the observations and recommendations expressed in my webcast about  “PCI: A Compliance or Security Program” hosted by ISACA 

The failure areas

According to the report the four sections ofthe PCI DSS mostly failed are: 

Requirement 3 – Protect stored cardholder data - mostly issues related to data retention and key rotation. 

Requirement 10- Track and monitor access - mostly issues related to application log management and file-integrity monitoring on logs

Requirement 11 – Regulary test systems and processes – The difficulties reside in the frequency combined with the expectation that findings are remediated and retested. Lack of time and resource prevent some companies to present four “passing” external and internal scans. The most frequent problem is that organizations procrastinate and perform the pen test or scan at the last possible minute of an assessment.Invariably, the result is that they have between 100 – 200 findings to remediate and no hope of getting it done in time. 

Requirements  12 – Maintain Security policies – Mosty issues are related to the lack of critical content, lack of identification of assets that must be protected, poor risk management framework. 

Rapid7's height recommendations

Rapid7’s height recommendations to achieve and stay in compliance while being prepared to face your risks: 

1. Don’t just rely on compliance guidelines and requirements. Be aware,understand and assess your own risks, specific to your environment.
2. Be ready for the unlikely. Don’t think risk prevention; think impact minimization and response to incident.
3. See and go further than the guidelines and requirements. Consider any compliance program as a subset of your security plan. Not as the plan.
4. Stop being reactive; be proactive. Don’t wait for updates from the compliance body to change your security tactics when necessary. The heaviness of compliance bodies makes them move slowly.
5. Stop asking: Am I secure? Ask “How well prepared am I to face the risks?”
6. Don’t wait for the assessor visits to get a picture of your level of preparation. Establish continuous monitoring of your readiness.
7. Assign the following working statement to your staff: “Keep us prepared to face the risks”
8. Nurture this concept of “preparation” inside your organization.

Didier Godart

Risk Product Manager 

Rapid7