The 2011 Verizon Payment Card Industry Compliance Report (pdf.) is based on findings from more than 100 PCI DSS assessments conducted by Verizon’s PCI Qualified Security Assessors in 2010. The report, which also combined statistics from the 2011 Verizon Data Breach Investigations Report, examined how well organizations comply with the 12 specific PCI requirements.
Compliance among Level 1 and Level 2 organizations remained consistent with Verizon’s 2010 PCI compliance report. Only 21% of organizations were fully compliant during an initial assessment. Organizations eventually achieve compliance, but fail to maintain a state of compliance through the next assessment period, said Wade Baker, director of Risk Intelligence for Verizon Business.
“This is clearly an event for them rather than something that is a continuous process,” Baker said. “We’re seeing lots of scrambling to get things in order for the assessor and that’s not the intent of PCI DSS at all.”
On average, Verizon QSAs are finding merchants are meeting about 80% of what is required to meet PCI DSS. Companies are often overconfident, Baker said, because they achieved compliance in an earlier assessment and “they often think they can walk through it easily again, but that is clearly not the case.”
Changes in the merchant’s environment such as an acquisition, a new point-of-sale (POS) system or an agreement with a new processor can change the scope of a new assessment. Organizations are also not always sure of the boundaries of their cardholder environment, Baker said.
The Verizon PCI report found some technology and policy improvements. Companies were doing a better job encrypting credit card data and sensitive cardholder information across public networks. Organizations were also improving restrictions on sensitive information to employees with a need-to-know.
But other areas remained a constant struggle. Organizations faced difficulties protecting stored cardholder data, tracking and monitoring access and maintaining security policies – three of the 12 requirements outlined in the PCI DSS.
In addition, organizations are failing to take a risk-based approach to addressing security threats. Instead of applying security policies and technologies to address the systems and applications with the highest risk of being attacked, organizations are taking a checklist approach to PCI DSS, Baker said.
The report also addressed common techniques used by attackers to gain access to credit card data. For the second year in a row remote access to systems via backdoors was a favorite attack technique of cybercriminals. Once an attacker penetrates a system, a common procedure is to use malware to upload data to a remote sever. Poor authentication remains an issue. Stolen account credentials or the use of default passwords is a common technique to gain access to systems containing cardholder data.
Cybercriminals target smaller merchants
While high-profile data breaches tend to focus on breaches with massive amounts of exposed cardholder data, PCI Level 3 and Level 4 merchants with a lower number of credit card transactions are facing more threats than ever before, according to Baker. The Verizon DBIR, issued earlier this year, found cybercriminals ignoring larger companies with hardened systems, instead targeting restaurant franchises and other smaller businesses that often lack knowledgeable IT staff or cash to invest and maintain security technologies.
Companies between 1 to 100 employees are being targeted right now, more than Verizon investigators have ever seen before, according to Baker. Further compounding the problem, it takes small businesses longer to discover a breach. Smaller firms have limited log information and monitoring capabilities.
“There is a sudden increase in smaller organizations being breached,” Baker said. “Cybercriminal techniques are refined enough to where they’re choosing a very small target, getting a small number of card numbers, but then repeating the processes over and over again to make a high enough profit.”