Feeds

Survey: Just 1 in 3 Euro biz slackers meets card security standards

Yet PCI-DSS has 'largely been a failure', wails securo-bod

Internet Security Threat Report 2014

European businesses are lagging far behind the rest of the world in compliance with global payment card industry security standards, according to a new survey.

Just under one-third (31 per cent) of surveyed European businesses met 80 per cent or more of the PCI Data Security Standard (DSS) requirements, compared with 75 per cent of those in the Asia-Pacific region and 56 per cent in the United States.

The survey attributed the lower rate of compliance among European businesses to regional differences due to breach notification laws, varying legal requirements and levels of adoption, as well as other cultural differences.

Too many firms also treat Payment Card Industry (PCI) compliance as a one-off test rather than an ongoing requirement, said Verizon, which carried out the study. It further reported that most organisations taking card payments fail to meet ongoing compliance with PCI DSS.

Areas where businesses struggle the most in achieving compliance include security testing (23.8 per cent), security monitoring, and the ability to effectively detect and respond to data compromises (17 per cent), as well as protecting stored sensitive data (55.6 per cent).

Overall, global compliance with the PCI standard has improved over the past 12 months. More than 82 per cent of organisations were compliant with at least 80 per cent of the PCI standard at the time of their annual baseline assessment in 2013, compared to just 32 per cent in 2012 – a major improvement.

The report is based on findings from hundreds of real world PCI DSS assessments conducted by Verizon between 2011 and 2013. The study, based on real actual casework, runs the numbers on how well businesses comply with each of the 12 specific PCI requirements.

Ciske van Ooste, director of operations at Verizon's PCI Security practice, told El Reg that failure to keep security controls up to the mark is putting businesses at an increased risk for data breaches, which often result in both financial losses and damages to an organisation's reputation. He argued the standard line of PCI backers that no PCI-compliant firm has ever suffered a breach.

"It's possible that there might be a breach case where a company is in full compliance but I haven't seen one," Van Ooste told El Reg. As befits his role, Van Ooste was reluctant to criticise PCI beyond acknowledging it was "imperfect" when it came to risk management.

Other security experts remain deeply critical of PCI even after recent reforms of the standard designed to make it more than a tickbox compliance check-list.

For example, Avivah Litan, Gartner Research vice-president and an expert in banking security and related topics, recently argued that PCI failed both Target and US consumers in the case of the recent mega-breach at the US supermarket chain as well as similar incidents before it.

"The PCI (Payment Card Industry) security standard has largely been a failure when you consider its initial purpose and history," Litan writes. "Target and other breached entities before it, such as Heartland Payment Systems, were all PCI compliant at the time of their breach. These companies spent untold sums of money annually certifying compliance to the payment card networks and their acquiring banks but it didn’t stop their breaches."

Bob Russo, the PCI-DSS council's general manager, on the other hand, argues that no standards changes were needed in the wake of recent breaches at Target and Neiman Marcus. Less controversially, Russo also said that while technologies such as chip and PIN (EMV) had the potential to reduce fraud in retail environments, they would do little or nothing to prevent fraud involving credit card purchases online. Verizon's Van Ooste echoed this latter point: "Chip and PIN wouldn't help prevent card-not-present fraud".

Russo's interview with Bank Info Security can be found here.

Other criticisms of PCI include the argument that it pushes liability for breaches down to merchants as well as gripes about the cost of achieving compliance and criticism that the standard is failing to keep pace with hacking threats.

Joshua Corman, a security strategist who has been a long term critic of the payment card industry standard, tweeted that he wasn't impressed by the PCI's explanations.

For better or worse, PCI DSS is the established payment card industry standard. It's an important but somewhat dry subject so great credit goes to the folks who put together a rootin’-tootin’ Country & Western song that summarises the 12 main requirements of the standard (a hat-tip to security industry veteran Graham Cluley for drawing our attention to this animated effort, below).

Comedy country and western infosec video.

A visual timeline of PCI DSS can be found here.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.