The Green Sheet Online Edition
March 10, 2014 • Issue 14:03:01
Verizon defends the PCI DSS
The Payment Card Industry (PCI) Data Security Standard (DSS) has come under criticism lately as high profile data breaches continue to expose flaws in retailers' data security systems. But a report issued by telecommunications firm Verizon Wireless concluded that the PCI DSS is working.
In the Verizon 2014 PCI Compliance Report, the researchers acknowledged the global standard is imperfect in entirely safeguarding sensitive payment data. "Some even regard the DSS, even in its latest 3.0 guise, as taking fundamentally the wrong approach to security," Verizon said. Then it asked a rhetorical question: "But is it effective in achieving security?" It answered the question with, "Our evidence suggests it is."
Verizon bases that opinion on the over 4,000 security assessments it conducted for 500 clients. Verizon has a qualified security assessment team of 550 professionals, it said.
Responses to criticisms
Verizon cited Nilson Report research from August 2013 that said card fraud cost the global payments market over $11 billion in 2012. Verizon added that the frequency of fraud schemes that the PCI DSS was designed to avoid is in fact growing. And yet most businesses are not fully compliant at the time of assessment.
Verizon said that only 51.1 percent of the companies it had audited had passed seven of the 12 requirements of the PCI DSS; and only 11.1 percent of said companies had passed all 12.
Verizon addressed some of the criticisms leveled at the PCI DSS. One concern is that the standard promotes compliance as a test to be passed and forgotten, which distracts companies from focusing on improving security. Verizon responded by stating that breached businesses were less likely to be PCI DSS compliant than unaffected companies. It also said businesses improve their chances of not being breached by having the standard in place, and of minimizing the damage of a breach should one occur.
Another common complaint leveled at the standard is that it is too cumbersome and slow moving in relation to the quickly evolving threat landscape and nimble fraudsters ready to try new tactics. Verizon countered that the PCI DSS is meant to be a set of baseline security protocols. "[A]chieving compliance with any standard is simply not enough organizations must take responsibility for protecting both their reputation and their customers," the company said.
Verizon added that most attacks on networks are of the simple variety, with 78 percent of hacking techniques considered low or very low in sophistication. "Our DBIR [data breach investigations report] research shows that while perpetrators are upping the ante trying new techniques and leveraging far greater resources less than 1 percent of the breaches use tactics rated as 'high' on the VERIS [Verizon's data breach analysis database] difficulty scale for initial compromise," Verizon said.
The newest version of the standard, PCI DSS 3.0, went into effect Jan. 1, 2014. Businesses have until Jan. 1, 2015, to implement it. Verizon admitted that the updated standard has new requirements and clarifications to version 2.0 that will take time for businesses to understand and implement, and this will result in more organizations being out of compliance.
"Our data shows that there's an initial dip in compliance whenever a major update to the standard is released so organizations will have to put in additional effort to prepare for achieving compliance with DSS 3.0," Verizon said.
The firm offered five approaches to help businesses deal with their PCI DSS compliance obligations:
- Don't leave compliance to information technology security teams, but enlist application developers, system administrators, executives and other staff in helping further along the process.
- Embed compliance in everyday business practices so that it is sustainable.
- Integrate compliance programs into enterprise-wide governance, risk and compliance strategies.
- Think of compliance as an opportunity to improve overall business processes, rather than as a burden.
- Learn how to reduce the scope of organizations' compliance responsibilities, chiefly by figuring out how to store less data on fewer systems.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.