A couple of weeks ago, Verizon Business issued their first PCI Compliance Report. The report analyses organizations, mainly in the US, who have gone through the PCI DSS validation process and have engaged the services of Verizon’s QSAs. There are a lot of interesting tidbits in this report that I thought would be good to highlight.
Validation, Compliance and Security
There is still a lot of confusion in the industry on what validation, compliance and security mean. Compliance validation, sometimes referred simply as validation, is a point-in-time event – like passing a test. Compliance is an ongoing process (such as reviewing your logs daily, weekly file integrity monitoring) to maintain a continuous state called “compliant”. Many organizations that pass their annual audit are unable to maintain this state and fall out of compliance. In addition, PCI DSS is a baseline for better security – the requirements are meant to be the minimum controls that an organization should consider for creating a more secure environment. Thus validation ≠ compliance, and further compliance ≠ security. I personally believe that we as an industry should continue to reinforce this distinction in the hopes of increasing the level of maturity and understanding among merchants.
Another area of interest is that organizations are overconfident in their ability to pass their compliance validation. You wouldn’t be calling the auditor to your door unless you thought you were going to pass the audit, right? Well, the report shows that only 22% of the organizations were validated compliant at the time of their Initial Report of Compliance (IROC), indicating as well that compliance is not widely maintained. This approach is very costly in terms of audit costs and burden.
The report also covers the top three most difficult requirements: Req 3 (stored data), Req 10 (track and monitor) and Req 11 (regular test), with the last two being the most crucial requirements. The least implemented requirement was 11.5 covering file integrity monitoring (FIM). Particularly interesting for me, because Tripwire solutions address two of these three top requirements, and we can help you not only implement FIM but continuously monitor the effectiveness of your controls. On average, merchants met 81% of all test procedures, but given that PCI DSS is all or nothing approach (100% compliance) this is not very good news.
The report maps security to the plan-do-check-act (PDCA) cycle. Req 12 allows you to Plan. Reqs: 1,2,3,4,5,6,7,8 and 9 allow you to Do. Reqs 10 and 11 allow you to Check. And all requirements, in particular those in the “Do” phase allow you to Act. Results show that merchants are better at planning and doing than they are at checking.
Words of advice: the more you test, the least amount of blood you’ll shed. If you want to utilize logs effectively, you need to be able to extract meaning from them and automate processes to manage the growing amount of data. Implement the most crucial requirements, since they’re also the ones with the broadest applicability to the top threat actions.
Conclusions and Recommendations from the report:
- Don’t separate compliance and security (they’re joint at the hip)
- Build security into your processes, not onto them
- Treat compliance as a continuous process, not an event (it will be easier and less costly)
- When preparing to validate, don’t procrastinate (it’s going to cost you more in time and resources)
- Avoid failure to communicate
- Understand how your decisions affect compliance
- Keep it small and simple
- Discover and track your data (use tools that allow you to have broad visibility)
- Prioritize your approach to compliance
- Check yourself before you wreck yourself (this is my favorite)
You can follow Cindy Valladares on twitter @cindyv.