Monday, October 18, 2010

Verizon PCI Report is Out

Taking notes as I am reading Verizon’s awesome “Verizon 2010 Payment Card Industry Compliance Report” [PDF]

“Organizations struggled most with requirements 10 (track and monitor access), 11 (regularly test systems and processes), and 3 (protect stored cardholder data). ” - not surprising, given DAILY log review in 10.6.image

“Overall, organizations that suffered a data breach were 50% less likely to be compliant than a normal population of PCI clients.” – one of THE KEY  findings and a good measure of PCI DSS efficiency. “PCI works” side of an argument gets a powerful weapon!

“All of the top 10 threat actions leading to the compromise of payment card data are well within scope of the PCI DSS.” – not at all surprising to me, but might surprise some of the “attacks are soooooo dynamic” people :-)

“An organization may be able to pass validation in order to “achieve compliance” but then—once the QSA leaves—become lax about maintaining the degree of security the standard is designed to provide over time. As such, the goal of any organization should be to maintain its state of security in adherence with the minimum baseline compliance requirements set by the standard.” – a very useful reminder to more than a few folks who forget that “QSA do not manufacture compliance”

“22% were validated compliant with the PCI DSS at the time of their IROC.” – indeed a point worthy of discussion. 22% found compliant from the 1st shot is pretty darn good, IMHO.

“these organizations had at least some expectation going into the validation process that they would be found compliant and yet over three quarters of them were not” – indeed, compliance is MUCH easier if exists only in your mind :-)

“Most organizations appear overconfident when assessing the state of their security practices.” – Cap’n Obvious calling..calling..calling :-)

“Regular testing (R11) and monitoring (R10) may be the most crucial but underrated and least appreciated aspects of security.” – if a merchant has to work at it throughout the year, as opposed to simply buy – or check! – the box, compliance rates lag.



“we have shown that the majority of organizations do not meet their goal of 100% compliance upon initial assessment” – BTW, do we realize that these guys were likely not compliant for most of the time since their last compliant FRoC?

“Organizations tend to struggle in all of these areas, most notably with generating (10.1 and 10.2), protecting (10.5), reviewing (10.6), and, to a lesser extent, archiving (10.7) logs” – well, it is not only the hard stuff that is hard. The easy stuff is hard too…mmmm.

“breach victims are less compliant than a normal population of organizations [..]  these results do suggest that an organization wishing to avoid breaches is better off pursuing PCI DSS than shunning it altogether” – this is [a part of] proof that PCI DSS works to improve security. Nice!

“it cannot be said that the PCI DSS fails to address the most prevalent threats to cardholder data. None of the top threat actions listed above falls outside the scope of its 12 requirements. For most of them, in fact, multiple layers of relevant controls exist across the standard.” – as obvious as it was to me, I suspect some people will be surprised. Threats today’s don’t seem as “dynamic” as some people think…

“the requirements exhibiting the worst assessment scores (10, 11) are also those most broadly applicable to the threat actions shown in Table 4. It should not be terribly surprising, then, that organizations suffering known data breaches were not highly  compliant with the PCI DSS” – oops! Fail to do the right things –> suffer a breach – with or without PCI DSS.

achieving and maintaining PCI Compliance should not be considered an annual project but a daily process – please keep this in mind, darn it. What is so special about this line that we have to repeat it every freaking day … and still have some people act as if it is news to them!!!?

.. next I started quoting from report conclusions and realized I’d be quoting most of their content. So, just read it!

Finally, a good way to think about PCI DSS below (from page 11 of the report):


Overall, a SUPERB piece of work (did I mention that I think it is awesome? :-)) and a must-read for any PCI DSS proponent OR skeptic!

Enhanced by Zemanta

Dr Anton Chuvakin