Skip to content ↓ | Skip to navigation ↓

In the security biz we know they really are out to get you… at least electronically. Professional and well-organized groups with very specific goals are constantly probing, and succeeding at cybercrime far more than we might know. If someone really wants into your network, they will get in.

The only real questions are around cost, resources, and time.  The 2013 Verizon Data Breach Investigations Report said it well – “It’s not a question of IF, it’s when [you will be breached].”

And now, with finger pointing all around the table, even Congress wants more concrete answers on major retail breaches, with both Nieman Marcus and Target giving more details.

Achieving PCI DSS 2.0 compliance audit certification with all 289 controls appears to offer no guarantee you won’t be breached according to the Verizon 2014 PCI Compliance Report (that’s no big surprise to security professionals). The PCI Data Security Standard is now 10 years old and PCI DSS 3.0 is now the approved assessment standard, increasing requirements to nearly 400 controls.

Although in 2013 nearly 90% failed their PCI baseline assessment, the Verizon report indicates compliance was still up overall for 2013. That is improvement over prior years. Yet, new reports of massive cardholder data theft continue to be unveiled.

Doubtless more will continue to unfold, and many in the industry are calling PCI DSS a failed standard. When comparing 2013 PCI DSS compliance data with their 2013 Data Breach Investigations Report, Verizon found that the companies suffering the data breach were much less likely to be effective at:

  • Limiting access to cardholder data on a need-to-know basis – a foundational rule of security and covered in Requirement 7
  • Log management – device logs are crucial to catching the early signals of an attack and reducing the loss of data if a breach did happen, and covered in Requirement 10

That’s interesting, and probably a bit helpful, but the Verizon report examines each of the 12 Requirements and there’s a story to tell on every one. A common theme is that many organizations may have passed their assessment at a point in time, but failed to sustain it.

Verizon found that “some companies still treat compliance as a one-off annual scramble that the security team owns.” Some even regard the DSS, even in its latest and improved 3.0 version, as taking fundamentally the wrong approach to security.

“There are significant issues around knowing how to maintain compliance,” said Verizon’s PCI Practice Lead Ciske van Oosten in an interview. Verizon supports the usefulness of the PCI standard, but van Oosten cautions that a checkbox mentality is not the correct way to achieve the ultimate goal of a compliant, secure organization that can reasonably and consistently protect cardholder data.

Verizon cautions that “it’s important to remember that while validation of compliance for attestation purposes (passing the annual assessment) is a “point in time” activity, PCI Security regulation requires full compliance to be actively maintained on a day-to-day basis.”

And I would add that it’s not just the security team’s job. The entire organization needs to embrace not just PCI DSS but other useful standards and security controls that will exceed the baseline requirements currently in force.

The PCI DSS v3.0 Webinar Series Continues:


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


picDefinitive Guide to Attack Surface Analytics

Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.


Title image courtesy of ShutterStock