Industry's struggle with payment card standards holds lessons for agencies

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Challenges faced by commercial enterprises in meeting the Payment Card Industry Data Security Standards throws some light on why cybersecurity is so difficult for agencies.

More than three-quarters of enterprises audited in the past two years by Verizon Business for compliance with the Payment Card Industry Data Security Standards failed to pass their initial evaluation, according to a study released by Verizon.

“This is interesting, since most were validated to be in compliance” the previous year, the report states.

Just 21 percent of about 100 organizations evaluated by accredited Verizon assessment teams in 2010 met the PCI requirements during the first pass of their annual evaluations, down just slightly from 22 percent in 2009. That means at least 78 percent of the organizations slipped out of compliance over the course of a year.

Related stories:

Cloud security fears outweigh savings, but perhaps not for long

NIST revises specs for automating security

“There is an erosion of security over time,” said Wade Baker, director of research and intelligence at Verizon Business and an author of the report. “Why? There are lots of different reasons.”

The PCI Data Security Standards are industry-specific (although Verizon does evaluate some federal agencies that handle credit card information). But the challenges identified in study can shed some light on why cybersecurity is so difficult for government.

“I think there is a pretty good degree of overlap” between the 12 requirements in the PCI DSS and best practices for security that should be followed by agencies, Baker said. Practices and controls required under the Federal Information Security Management Act are broader and deeper than the PCI standards, so compliance with PCI would not necessarily equal FISMA compliance.

But the overlap between the two probably is closer to 80 percent than to 20 percent, Baker said, and because PCI compliance is all or nothing — it requires a 100 percent score each year to pass — it is fairly easy to quantify results.

The standards were developed six years ago by the Payment Card Industry’s Security Standards Council. All organizations that use or store cardholder data must prove their compliance with the standards annually, but there also are daily, weekly and quarterly activities required.

The basic PCI DSS requirements are:

  1. Install and maintain a firewall configuration to protect data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored data.
  4. Encrypt transmission of cardholder data and sensitive information across public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

Each requirement also includes additional specific actions and tests.

Because PCI compliance requires a 100 percent score, the initial 79 percent failure rate reported in the Verizon study for 2010 is not as bad as it sounds. Another 37 percent scored between 90 and 99 percent on the initial evaluation, so a total of 58 percent scored 90 percent or better. But the question remains, why did they slip when they had achieved 100 percent a year earlier?

In many cases it is a matter of missing documentation rather than faulty security controls, but the controls themselves can erode over time due to overconfidence, fatigue and stretched budgets, Baker said. “Environmental changes are also a critical factor,” as new systems and technologies are implemented, he added.

In general, security often is treated as an event rather than a process, Baker said, and critical activities often are neglected once compliance has been achieved. This is reflected in the fact that the lowest level of compliance on initial evaluations was with the requirement to regularly test security systems and processes.

This is not necessarily because of negligence on the part of IT and security teams. Staffs and budgets typically are stretched thin and a good deal of time and resources are devoted to meeting new requirements and putting out fires, rather than addressing routines.

“Almost by default, organizations are going to struggle with maintenance and ongoing procedures,” Baker said.

Another area of poor performance was the requirement to protect stored data. There is an apparent paradox here, because one of the key elements in protecting stored data is encryption, and yet most organizations did well in encrypting data in transmission. But the two issues really are separate.

“In general, organizations better understand exactly how to encrypt data in motion,” the authors of the report wrote. This often can be done automatically by two machines, such as a browser and a server. “Encryption of data at rest, as any security professional can tell you, is not an easy technology to implement even in the best of times.”

Some of the PCI requirements are specific to that industry, such as those for specific point-of-sale terminals. But the challenge of protecting stored data applies to agencies as well as to merchants processing credit cards.

“In encryption, they struggle most with key management,” Baker said. Another challenge is locating and identifying all data that must be protected, which is an ongoing problem.

Maintaining an information security policy also is a challenge. Only 39 percent of organizations fully met this requirement on initial evaluation. Both the Payment Card Industry and FISMA call for a risk-based approach to security policies.

“The only way to know what security measures are needed in a policy is to first discover the risks,” which is a continuous task, the report states.

NEXT STORY: Hacker roundup: Arrests are shrinking LulzSec, Anonymous membership

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.