Industry's struggle with payment card standards holds lessons for agencies
- By William Jackson
- Sep 28, 2011
More than three-quarters of enterprises audited in the past two years by Verizon Business for compliance with the Payment Card Industry Data Security Standards failed to pass their initial evaluation, according to a study released by Verizon.
“This is interesting, since most were validated to be in compliance” the previous year, the report states.
Just 21 percent of about 100 organizations evaluated by accredited Verizon assessment teams in 2010 met the PCI requirements during the first pass of their annual evaluations, down just slightly from 22 percent in 2009. That means at least 78 percent of the organizations slipped out of compliance over the course of a year.
Cloud security fears outweigh savings, but perhaps not for long
NIST revises specs for automating security
“There is an erosion of security over time,” said Wade Baker, director of research and intelligence at Verizon Business and an author of the report. “Why? There are lots of different reasons.”
The PCI Data Security Standards are industry-specific (although Verizon does evaluate some federal agencies that handle credit card information). But the challenges identified in study can shed some light on why cybersecurity is so difficult for government.
“I think there is a pretty good degree of overlap” between the 12 requirements in the PCI DSS and best practices for security that should be followed by agencies, Baker said. Practices and controls required under the Federal Information Security Management Act are broader and deeper than the PCI standards, so compliance with PCI would not necessarily equal FISMA compliance.
But the overlap between the two probably is closer to 80 percent than to 20 percent, Baker said, and because PCI compliance is all or nothing — it requires a 100 percent score each year to pass — it is fairly easy to quantify results.
The standards were developed six years ago by the Payment Card Industry’s Security Standards Council. All organizations that use or store cardholder data must prove their compliance with the standards annually, but there also are daily, weekly and quarterly activities required.
The basic PCI DSS requirements are:
Install and maintain a firewall configuration to protect data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored data.
Encrypt transmission of cardholder data and sensitive information across public networks.
Use and regularly update antivirus software.
Develop and maintain secure systems and applications.
Restrict access to data by business need-to-know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain a policy that addresses information security.
Each requirement also includes additional specific actions and tests.
Because PCI compliance requires a 100 percent score, the initial 79 percent failure rate reported in the Verizon study for 2010 is not as bad as it sounds. Another 37 percent scored between 90 and 99 percent on the initial evaluation, so a total of 58 percent scored 90 percent or better. But the question remains, why did they slip when they had achieved 100 percent a year earlier?
In many cases it is a matter of missing documentation rather than faulty security controls, but the controls themselves can erode over time due to overconfidence, fatigue and stretched budgets, Baker said. “Environmental changes are also a critical factor,” as new systems and technologies are implemented, he added.
In general, security often is treated as an event rather than a process, Baker said, and critical activities often are neglected once compliance has been achieved. This is reflected in the fact that the lowest level of compliance on initial evaluations was with the requirement to regularly test security systems and processes.
This is not necessarily because of negligence on the part of IT and security teams. Staffs and budgets typically are stretched thin and a good deal of time and resources are devoted to meeting new requirements and putting out fires, rather than addressing routines.
“Almost by default, organizations are going to struggle with maintenance and ongoing procedures,” Baker said.
Another area of poor performance was the requirement to protect stored data. There is an apparent paradox here, because one of the key elements in protecting stored data is encryption, and yet most organizations did well in encrypting data in transmission. But the two issues really are separate.
“In general, organizations better understand exactly how to encrypt data in motion,” the authors of the report wrote. This often can be done automatically by two machines, such as a browser and a server. “Encryption of data at rest, as any security professional can tell you, is not an easy technology to implement even in the best of times.”
Some of the PCI requirements are specific to that industry, such as those for specific point-of-sale terminals. But the challenge of protecting stored data applies to agencies as well as to merchants processing credit cards.
“In encryption, they struggle most with key management,” Baker said. Another challenge is locating and identifying all data that must be protected, which is an ongoing problem.
Maintaining an information security policy also is a challenge. Only 39 percent of organizations fully met this requirement on initial evaluation. Both the Payment Card Industry and FISMA call for a risk-based approach to security policies.
“The only way to know what security measures are needed in a policy is to first discover the risks,” which is a continuous task, the report states.
William Jackson is a Maryland-based freelance writer.