Payment Problems: Report Documents Struggle to Protect Card Data
Organizations are struggling to build and maintain systems and processes to protect payment card data. For 10 years, Verizon has completed an annual study compiling the extent to which companies comply with the Payment Card Industry Data Security Standard (PCI DSS). The 2020 report, which examines 2019 data, shows full compliance with the standard fell to 27.9 percent—the third straight year of declines. At the high mark in 2016, full compliance stood at 55.4 percent.
The 12 requirements listed in the PCI DSS follow; the three in green text have the highest compliance rates in each of the past three years and the three in red text have the lowest compliance in each of the past three years.
R1: Install and maintain a firewall configuration
R2: Do not use vendor-supplied defaults
R3: Protect stored cardholder data
R4: Protect data in transit
R5: Protect against malicious software
R6: Develop and maintain secure systems
R7: Restrict access
R8: Authenticate access
R9: Control physical access
R10: Track and monitor access
R11: Test security systems and processes
R12: Security management
Barely half of companies met Requirement 11: Test security systems and processes, which was the lowest mark in the survey, and, indeed, has been at the bottom of the list for all but three years of the study. Looking more closely at this requirement, the PCI DSS details six controls:
11.1 – Test for the presence of wireless access points
11.2 – Run network vulnerability scans
11.3 – Implement penetration testing
11.4 – Use intrusion-detection systems
11.5 – Deploy change-detection mechanism
11.6 – Documented procedures for monitoring and testing
Of these, companies are finding Control 11.2: Run network vulnerability scans to be the toughest to comply with. The report cites the following reasons why companies struggle with Control 11.2:
- Waiting to run the vulnerability scan until the month before the passing scan is due, which often leads to the discovery of complex remediation issues that are not possible to resolve within 30 days as required for “Critical” and “High” vulnerabilities.
- Changes in staff responsibilities and lack of oversight.
- Antiquated and end-of-life (EOL) technologies still present within the assessed environment that have no further support (including “extended” support) availability.
Taking a quick look at Requirement 9: Control physical access, 81.2 percent of companies achieve full compliance, which is an increase of nearly five percent from the previous year, though the percent of companies in full compliance over the last five years has generally been in the low 80s.
The study breaks out responses by four industries—finance, retail, hospitality, and IT services. Of those, retail lags behind the others, with 62.5 percent achieving full compliance with the physical access control requirement; the other industries range from 82.1 percent to 85.7 precent compliance. Of the 10 control measures for requirement nine, which range from “distinguish between onsite personnel and visitors” and “destroy media when no longer needed,” compliance is pretty even across the board, with a range from 89 percent compliance to 92.9 percent.