The downward trend in organizations passing PCI DSS interim security testing is worrying. PCI DSS compliance requires security every day, not once a year.
It sounds like working your way down the ladder of success.
According to Verizon’s 2019 Payment Security Report, out last November, the percentage of companies passing so-called “interim security testing” under the Payment Card Industry’s Data Security Standard (PCI DSS) dropped by nearly a third from 2016 to 2018—55% to 37%.
Interim testing is done one or more times during the year by qualified security assessors (QSAs) or internal security assessors (ISAs). The goal is to help companies maintain full compliance with PCI DSS at all times—not just during the annual formal test.
So a decline this steep is more than just a worrying trend. Even at its highest level in 2016, barely more than half of companies handling credit card data were in compliance during interim testing. Now, even that mediocre performance looks to be eroding rapidly.
It strongly suggests that, in spite of constant exhortations and warnings from experts that security needs to be a top priority in a connected world, it remains an afterthought far too much of the time.
It’s not quite as bad as it looks, according to Ciske van Oosten, senior manager of Global Business Intelligence, Security Assurance Consulting Division of the Verizon Business Group. He said the decline is due partly to a change in the industry verticals the report surveyed.
“The drop is, in part, data related,” he said. “We have fewer financial services organizations and more retail in the mix. Also, there are comparatively fewer Asia Pacific organizations and more from Europe. Asia Pacific organizations demonstrate higher security control sustainability than those in Europe.”
He also said the “control gap,” which is the percentage of security controls that were out of compliance during interim testing, actually decreased. So, still failing, but not by as much as before. “That’s a good thing,” he said.
Still, caveats and all, it is not a welcome trend. Especially since there hasn’t been a major overhaul of the standard in three and a half years, so it’s not as though organizations had to adjust to a pile of new requirements last year. The latest major change, PCI DSS 3.2, was introduced in April 2016 and became mandatory in February 2018.
The trend looks even bleaker in light of the general assumption when the standard was launched in 2004 by five major card brands—Visa, Mastercard, American Express, Discover, and JCB—that, in Van Oosten’s words, “organizations would achieve effective and sustainable compliance within five years. We can see that this is not the case.”
Indeed. Not even close.
The bit of good news is that more than 90% of organizations do pass their annual, formal compliance validation. But it’s only a bit. Compliance at a moment in time clearly is not “business-as-usual” compliance.
“The majority of organizations fail to keep their controls in place as they should,” Van Oosten said. “This is not only expected but also required by the PCI DSS. We see critical controls that were not in place, and not corrected until an assessor conducted an assessment. That exposes data that must be protected to increased risk.”
One reason for this, according to Julie Conroy, research director at Aite Group, is that there is “a vast swath of businesses that are subject to PCI that are not security experts—they are just businesses looking to sell their stuff. Unfortunately, handling sensitive data is part of that process.”
Beyond that is the reality that in a connected world, threats and attacks are increasing at exponential rates. Which raises the question: Is it reasonable to demand that organizations be in full compliance with a rigorous security standard 100% of the time?
Indeed, the Payment Card Industry Security Standards Council (PCI SSC), which created and oversees the PCI DSS, has been the target of sometimes withering criticism for expecting that organizations can maintain 24/7 security, and for the implication that compliance means security.
Its critics have contended that the standard is designed mainly to shield card issuers and banks from liability for loss, at the expense of merchants.
But its officials and defenders say those criticisms are based on distortions. There has never been a 24/7, 100% compliance expectation, according to Van Oosten. “That bar may be too high, and unrealistic,” he said.
“The expectation is that organizations can effectively detect when controls fall out of place and correct them rapidly. That comes with operational resilience of the control environment. We see that organizations still do not demonstrate this resilience capability.”
And Troy Leach, senior vice president of the PCI SSC, said the organization has agreed from its start with the mantra that “compliance is not security.” He said it’s actually the other way around—that security produces compliance.
“Compliance or attestation of compliance is a result of good security,” he said.
But while no organization can be in full compliance every moment of every day, Leach said, “security should be a business-as-usual activity, not just an annual checklist of activities. It requires having security embedded in the culture of the organization to understand the broad benefits beyond avoiding a headline data breach.”
Or as Van Oosten puts it, “Continuous compliance needs to be by design and built into the control environment. It’s always better to be ‘built-in’ rather than ‘bolted on.’ The processes needed to support continuous compliance, and the ability to simplify and automate it is lacking in many organizations.”
And it is indeed possible to “build security in.” That has been the message for the past decade of the BSIMM (Building Security In Maturity Model), an annual report on software security initiatives (SSI) at companies covering primarily eight verticals.
The BSIMM, now part of Synopsys, is a self-described “measuring stick” for SSIs that reports on what those companies are doing—what is working and what isn’t.
Emile Monette, director, value chain security, at Synopsys, said the company’s multiple security testing tools for software will help, both with building security in and with compliance with the PCI DSS, “especially with the requirements that ‘organizations most often failed to maintain.’”
“Specifically No. 11 (Test Security Systems and Process) and No. 6 (Develop and Maintain Secure Systems),” he said.
“Our tools can help with network and vulnerability scans (requirement 11.2), protection of software components and applications from known vulnerabilities (requirement 6.2), and rechecking security controls flagged by penetration testing to ensure that issues were fixed (requirement 11.3.3).”
But he and others say that compliance-based security, however well intended, “is almost always done as a snapshot in time and, without automation, does not generally deliver constant risk-based security or visibility into security.”
Van Oosten agrees that PCI DSS is “not a failsafe standard,” but insists that “there has never been a publicly disclosed case of any organization experiencing a confirmed payment card data breach while they maintained the controls needed to comply with PCI DSS.”
That contention has been hotly disputed over the years.
But he says to critics, “What’s the alternative? The PCI DSS is arguably the best private industry initiative to raise the bar on data protection—even beyond payment card data. As the PCI SSC has stated over the past 15 years ‘the standard is the floor and not the ceiling.’”
Conroy agrees with that much. “PCI [DSS] should be viewed as the starting point, but given the sophistication of the current cyberthreat landscape, viewing security as merely a compliance exercise is not sufficient.”
One of the most catastrophic examples, she said, was the breach of mega-retailer Target, in 2013, when hackers were able to get into the company’s point-of-sale system through breaching a third-party contractor—an HVAC vendor.
“While they had passed their PCI assessment prior to the breach, it turns out they weren’t compliant or secure,” she said.
Monette cites the same irony: “Target was PCI DSS compliant at the time of the incident, but in reality they should have had better security practices in place due to the risks inherent to their networks and the data they contained,” he said. “While meeting PCI DSS was a threshold requirement for them (or they couldn’t take credit card payments), they should have done more to establish security requirements for their suppliers and ensure access controls were in place and adhered to.”
All of this confirms that there shouldn’t be a decline in companies passing their interim PCI DSS assessments. Tools that can improve the security of card processing are available.
“Businesses need to embrace a culture of security that comes from the top down and extends from software development to front line staff,” Conroy said, noting that the Verizon report “cited gaps in software development and maintenance as one of the biggest points of failure.”
“Businesses that avoid these pitfalls typically have the software development teamwork in partnership with infosecurity throughout the product development lifecycle to ensure that vulnerability testing, patching, and ongoing monitoring are an inherent part of the IT culture,” she said.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.