Companies subject to PCI DSS security requirements are audited once per year, yet many of these companies continue to be breached. It is not that PCI DSS fails, but that companies fail to maintain compliance from one audit to the next. According to Verizon’s 2016-2018 dataset, at the time of a breach, no organization was compliant across all 12 PCI DSS requirements.
This is the primary thrust of the Verizon 2019 Payment Security Report — the eighth annual report (PDF) on the state of PCI DSS compliance: compliance sustainability from one annual audit to the next. “Most companies are able to achieve compliance fairly easily,” Rodolphe Simonetti, managing director of Verizon’s global security consulting, told SecurityWeek, “but what is important is maintaining compliance throughout the year. This is the only way to mitigate risk and manage security properly.”
“We can definitively state,” says the Verizon report, “we have never reviewed an environment or investigated a PCI data breach involving an affected entity that was truly PCI DSS compliant—even if it had a signed Attestation of Compliance (AOC).” While it cannot confirm industry claims that no PCI DSS compliant company has ever been breached, it does say categorically that no covered breached company within its purview was actually compliant at the time of the breach.
In greater detail, 0% of such companies were compliant with requirements 3, 8, 10, 11 and 12. Requirement 9 (restrict physical access to cardholder data) had the highest compliance rate among breached entities, but still contained failures in 75% of breached organizations. Overall, requirement 10.2 (automated audit trails for all system components) causes the most problems, with retail organizations being the worst offenders.
Verizon believes that PCI DSS compliance overall is improving, but the sustainability of that compliance over the full year is declining. Whenever it assesses a company, it does two assessments. When it does its initial assessment, it documents all the company’s compliance gaps. It gives the customer a few weeks to close the gaps, and then returns for the formal assessment. The difference between the two assessments provides what Verizon calls the sustainability gap — and this sustainability gap has been widening since 2016.
The clear implication from such figures is that too many companies consider PCI DSS compliance to be an annual paper check rather than a continuous condition — a minimal check box annual exercise rather maintaining proper security. “The fundamental argument,” Simonetti told SecurityWeek, “is that companies need to stop treating PCI DSS compliance as a project, and start treating it as a program.”
This year’s Verizon Payment Security Report (PDF) provides a methodology to help companies move from this annual test to a mature data protection compliance program (DPCP) able to provide continuous PCI DSS conformance — something it calls the ‘9-5-4 Compliance Program Performance Evaluation Framework. It combines nine factors of control effectiveness and sustainability, with five constraints of organizational proficiency, and four lines of assurance. This framework, says Verizon, “can help anyone approach control environments more like a qualified security assessor.”
The five constraints to proficiency are capacity, capability, competence, commitment and communication. These are business constraints that need to be overcome before an effective DPCP can be achieved. Commitment must come from board level to ensure that the DPCP has adequate support, autonomy, independence and resources, backed by two-way communication throughout the organization.
The four lines of assurance are based on the five lines of assurance put forward by Leech and Hanlon in ‘The Handbook of Board Governance’ (Wiley, 2016). “In our opinion,” says Verizon, “the four-lines model, which we developed, is a better fit for the payment security environment.” These comprise individual accountability; risk management and compliance functions; internal audit, external auditors, regulators; and external bodies. “Each step in the lines-of-assurance model has a purpose,” says the firm, “and can promote efficiency and effectiveness through information sharing.”
The nine factors of control effectiveness and sustainability are control environment, control design, control risk, control robustness, control resilience, control lifecycle management, performance management, maturity measurement and self-assessment. A matrix of the nine factors against the five constraints should be evaluated against the four lines of assurance. In each line of assurance, the matrix should display one of three possibilities: no significant concerns, uncertainty (further investigation is necessary), or failure.
The result highlights both where additional work is required to ensure compliance, and where the organizational weakness causing that need can be found. Since this is a model for self-assessment, it can be used on a continuous basis within an organization, ensuring that the compliance satisfied at the time of the regulatory PCI DSS audit can be maintained throughout the year (and making preparation for the next audit more simple and more predictable).
One aspect of PCI DSS compliance that is less easy to handle internally on a continuous basis is the requirement for penetration testing (requirement 11.3, implement a methodology for penetration testing). Penetration testing is both expensive and also only guaranteed to be accurate at the time of the test. It is also one of the most problematic areas for compliance. “Requirement 11 continues to lag at the back of the pack when it comes to full compliance,” notes the report. “With the lowest compliance ranking for the 2017–2019 PSR reporting years, this requirement also has the widest control gap, meaning not only are organizations not maintaining compliance, they are also failing on a larger number of controls.”
But testing can be ongoing, points out Simonetti. Verizon’s own solution is its penetration testing program. It combines automated vulnerability scanning with human penetration testing. So, starting from a position of compliance (say, immediately following a successful audit), regular automated vulnerability scans will detect whether the customer has become vulnerable. Only when this happens is there a need for limited human penetration testing to determine whether the customer has slipped out of compliance due to the newly discovered vulnerability.
“If I was in charge of managing PCI compliance while minimizing the cost,” said Simonetti, “I would make sure that the list of the 20 biggest control gaps provided in the report are properly addressed.” The standard 80/20 rule applies, he added. “With correcting those twenty common failures you will cover 80% of the risk. They are good, quick wins.”