Most Organizations Fall Short On PCI DSS, Verizon Reports

This year's Verizon 2011 Payment Card Industry Compliance Report validates the findings of the first report issued last year: About one in five organizations for which Verizon provided QSA services were fully compliant in their Initial Report on Compliance (IROC), but the balance were found lacking, on average passing about 80% of the QSA evaluation tests.

September 28, 2011

2 Min Read
Network Computing logo

This year's Verizon 2011 Payment Card Industry Compliance Report validates the findings of the first report issued last year: About one in five organizations for which Verizon provided Qualified Security Assessor (QSA) services were fully compliant in their Initial Report on Compliance (IROC), but the balance were found lacking, on average passing about 80% of the QSA evaluation tests.

The report, based on analysis of 2010 audits, produced results comparable with the first report, based on cumulative 2008 to 2009 data. This indicates a consistent pattern of enterprise compliance and non-compliance during three years. "The longer you see a certain pattern seems to suggest that pattern points to something real," says Cory Wade, Verizon director of risk intelligence.

Verizon says that the findings indicate a pattern of backsliding after organizations achieve compliance, failing a fifth of their tests, on average, in the following IROC. The organizations that pass all tests initially have continuous compliance programs that they maintain throughout the year.

"If we could plot the compliance level going forward in time, I get a sense it would look like a roller coaster," says Wade. "You have an upswing when the QSA shows up, then they hit peak and start to slide during the remainder of the year."

The report is based on QSA audits of more than 100 Verizon clients, with about 60% based in the United States and most of the rest from Europe with a small Asian representation. The PCI requirements that proved most difficult in terms of compliance of organizations that passed the relevant tests:

  • Requirement 3: Protect stored data (42%)

  • Requirement 11: Regularly test security systems and processes (37%)

  • Requirement 12: Maintain security policies (39%)

    Requirements 3 and 11 were at the bottom in the 2010 report, as well. The continued poor compliance with Requirement 11 is typical of the "set and forget" approach, as opposed to continuous compliance, the report observes, and the lack of security policies, which drive practice, is disturbing.

    The strongest requirements in terms of initial compliance were:

  • Requirement 4: Encrypt transmissions over public networks (72%)

  • Requirement 5: Use and update anti-virus (64%)

  • Requirement 7: Restrict access to need-to-know (75%)

  • Requirement 9: Restrict physical access (55%)

    The report notes that with anti-virus, some organizations may use acceptable compensating controls, such as whitelisting technology. The report also found that organizations analyzed in the Verizon Data Breach Investigations Report showed a generally lower rate of PCI compliance across most requirements, indicating a correlation between poor compliance and weak security.

    Although only a fifth of the companies were 100% compliant initially, more than a third passed between 90% and 99% of the tests. On the down side, one in five organizations passed fewer than 50% of the tests.

    See more on this topic by subscribing to Network Computing Pro Reports Strategy: Security via Compliance (subscription required).

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
Sign-Up
More Insights
Webinars
More Webinars
Reports
More Reports
Webinars
More Webinars
White Papers
More White Papers
Reports
More Reports
Live Events
More Live Events