Reason for Concern: Only a Third of Organizations Stay PCI Compliant

Most organizations have to deal with a wide range of data protection regulations, and the list is growing. The EU’s General Data Protection Regulation (GDPR) was the first of many new “regional” data protection regulations with a global impact. Many organizations need to identify their responsibilities under these regulations and develop compliance programs capable of fulfilling them.

These regulations only add to many organizations’ existing regulatory burden. Merchants around the world already need to achieve Payment Card Industry Data Security Standard (PCI DSS) compliance in order to be allowed to process payment card transactions. This standard is designed to ensure that merchants appropriately secure payment card data in their care.

However, the current state of PCI DSS compliance is troubling. While most organizations are capable of passing yearly audits, their compliance wanes in between. As a result, customer payment card data is potentially vulnerable to attack.

Introduction to PCI DSS

The Payment Card Industry Data Security Standard is a regulation adopted by the major payment card organizations to ensure that card data is appropriately protected. In order to be permitted to process payment card transactions, a merchant must achieve, maintain, and demonstrate compliance with PCI DSS. The structure of PCI DSS is a set of 12 high-level requirements with numerous sub-requirements. These sub-requirements provide more detail about the security controls that organizations must put in place to be compliant with each requirement.

PCI DSS requirements vary greatly in their level of clarity and ease of implementation. For example, Requirement 2 says “do not use vendor-supplied defaults for system passwords and other security parameters” and Requirement 5 mandates that organizations “use and regularly update anti-virus software or programs”. Both of these are fairly self-explanatory.

However, other PCI DSS Requirements are less clear. Requirement 6 is “Develop and maintain secure systems and applications”. In order to determine the security actions required to achieve compliance with this, organizations will need to dive into the details of the sub-requirements and map them to their organization’s unique network infrastructure. As a result, it is no surprise that 98% of organizations struggle with this requirement.

Most Organizations Don’t Stay Compliant

Ideally, in order to process payment card information, merchants should need to maintain PCI DSS compliance 24/7. In reality, auditors aren’t constantly monitoring organizations’ systems. Whether or not an organization has to undergo a compliance audit depends on the size of the business and the number of payment card transactions that they process on a regular basis. Smaller merchants may be able to self-certify compliance and only undergo a formal compliance audit if something has gone wrong (like a data breach).

Self-certification systems are already a problem for regulatory compliance. Many smaller organizations may not fully understand their responsibilities under a particular regulation. As a result, they may falsely certify themselves as compliant, whether willfully or mistakenly. Regardless of the reason for the false certification, this allows the organization to continue processing payment card transactions without properly protecting customer data.

However, the issues with PCI compliance are not limited to small businesses. Organizations large enough to require a third-party audit for compliance are likely only required to undergo this audit once per year. The remaining 364 days of the year, there is little or no oversight to determine if the organization actually maintains their security throughout the year or just patched things together to get the stamp of compliance. In fact, according to a recent report, only 37% of organizations actually passed their interim compliance audit in 2018. This is a practice run designed to help organizations to prepare for the real thing later in the year. This represents an 18% drop in only two years since 55% passed in 2016.

Failing to demonstrate full compliance at an interim audit may not affect an organization’s compliance status, but it is a clear warning sign that many merchants are not actually secure. Failing to pass an interim compliance audit means that an organization doesn’t actually have the appropriate security controls in place to protect their customers’ payment card data. This is concerning since a compliance program without the appropriate security controls in place has a 95% chance of being unsustainable, meaning that these organizations can easily become vulnerable to attack.

Maintaining PCI DSS Compliance

Unsurprisingly, the main components of the interim compliance audit that merchants failed fall under the “less clear” requirements. 33% of companies failed to run regular network and vulnerability scans (requirement 11.2), 28% didn’t protect against known vulnerabilities (6.2), and 27% failed to double-check that issued discovered during penetration testing were actually fixed (11.3.3).

These failures are surprising since all of them can be easily addressed using automated solutions. The first and third issues only require scheduling regular and follow-up vulnerability scans, which is a built-in option for most vulnerability scanners. Protecting against known vulnerabilities can be accomplished by deploying a web application firewall (WAF) to provide general protection for an organization’s entire web presence and using runtime application self-protection (RASP) to secure individual, high-value applications that are more vulnerable to attack.

The PCI DSS regulation can seem complex, but it largely boils down to identifying and deploying existing cybersecurity controls and solutions. By picking the right tools for the job and configuring them to map to PCI DSS requirements, organizations can build a sustainable and scalable compliance strategy.