According to the Verizon 2010 Payment Card Industry Compliance Report, organizations are generally doing a good job meeting most PCI DSS requirements but struggle when they have to engage in continuous security activity, such daily monitoring of logs, according the business analysis of its PCI assessment clients. In addition, Verizon found that organizations that had suffered data breaches of cardholder information performed dismally in terms of compliance with most PCI requirements.
The report found that about a fifth of the organizations included in the analysis were found fully PCI compliant in Verizon's Initial Report on Compliance (IROC) issued after the assessors' site visit. That means that the client passed each one of about 150 tests based on the subsections of the 12 core PCI DSS requirements.
Verizon analysts were surprised the full compliance figure (22 percent) was that high. They found that while some passed more easily because of relatively simple environments (e.g., they didn't have wireless deployments), many successful organizations had passed in previous years and built on their experience to maintain compliance. "What was consistent among these 22 percent was they treated PCI as a lifestyle change," said Jennifer Mack, Verizon's director of global PCI consulting services. "They incorporated it into their daily processes and didn't act with a project mentality."
The report is based on an analysis of about 200 organizations chosen as a cross-section of Level 1 through Level 4 Verizon QSA clients in 2008 and 2009.
The lowest compliance rates were in:
- Requirement 3: Protect stored data (43 percent)
- Requirement 10: Track and monitor all access to network resources and cardholder data (39 percent)
- Requirement 11: Regularly test security systems and processes (38 percent)
Requirement 10 is problematic, the report said, because although organizations generally turn on logging for network devices, they fail to do so for applications and allow logs to be overwritten instead of offloading them for storage. Finally, they are overwhelmed by the requirement to review logs daily.
Organizations performed woefully across all aspects of regularly testing security systems and processes, but failure to perform file integrity was the single greatest failure among the 150 or tests required across the PCI standard. The consistent theme with non-compliance for tracking, monitoring, and regular testing was the failure to apply security practices that require continuous activity.