Feeds

Survey: Just 1 in 3 Euro biz slackers meets card security standards

Yet PCI-DSS has 'largely been a failure', wails securo-bod

The Essential Guide to IT Transformation

European businesses are lagging far behind the rest of the world in compliance with global payment card industry security standards, according to a new survey.

Just under one-third (31 per cent) of surveyed European businesses met 80 per cent or more of the PCI Data Security Standard (DSS) requirements, compared with 75 per cent of those in the Asia-Pacific region and 56 per cent in the United States.

The survey attributed the lower rate of compliance among European businesses to regional differences due to breach notification laws, varying legal requirements and levels of adoption, as well as other cultural differences.

Too many firms also treat Payment Card Industry (PCI) compliance as a one-off test rather than an ongoing requirement, said Verizon, which carried out the study. It further reported that most organisations taking card payments fail to meet ongoing compliance with PCI DSS.

Areas where businesses struggle the most in achieving compliance include security testing (23.8 per cent), security monitoring, and the ability to effectively detect and respond to data compromises (17 per cent), as well as protecting stored sensitive data (55.6 per cent).

Overall, global compliance with the PCI standard has improved over the past 12 months. More than 82 per cent of organisations were compliant with at least 80 per cent of the PCI standard at the time of their annual baseline assessment in 2013, compared to just 32 per cent in 2012 – a major improvement.

The report is based on findings from hundreds of real world PCI DSS assessments conducted by Verizon between 2011 and 2013. The study, based on real actual casework, runs the numbers on how well businesses comply with each of the 12 specific PCI requirements.

Ciske van Ooste, director of operations at Verizon's PCI Security practice, told El Reg that failure to keep security controls up to the mark is putting businesses at an increased risk for data breaches, which often result in both financial losses and damages to an organisation's reputation. He argued the standard line of PCI backers that no PCI-compliant firm has ever suffered a breach.

"It's possible that there might be a breach case where a company is in full compliance but I haven't seen one," Van Ooste told El Reg. As befits his role, Van Ooste was reluctant to criticise PCI beyond acknowledging it was "imperfect" when it came to risk management.

Other security experts remain deeply critical of PCI even after recent reforms of the standard designed to make it more than a tickbox compliance check-list.

For example, Avivah Litan, Gartner Research vice-president and an expert in banking security and related topics, recently argued that PCI failed both Target and US consumers in the case of the recent mega-breach at the US supermarket chain as well as similar incidents before it.

"The PCI (Payment Card Industry) security standard has largely been a failure when you consider its initial purpose and history," Litan writes. "Target and other breached entities before it, such as Heartland Payment Systems, were all PCI compliant at the time of their breach. These companies spent untold sums of money annually certifying compliance to the payment card networks and their acquiring banks but it didn’t stop their breaches."

Bob Russo, the PCI-DSS council's general manager, on the other hand, argues that no standards changes were needed in the wake of recent breaches at Target and Neiman Marcus. Less controversially, Russo also said that while technologies such as chip and PIN (EMV) had the potential to reduce fraud in retail environments, they would do little or nothing to prevent fraud involving credit card purchases online. Verizon's Van Ooste echoed this latter point: "Chip and PIN wouldn't help prevent card-not-present fraud".

Russo's interview with Bank Info Security can be found here.

Other criticisms of PCI include the argument that it pushes liability for breaches down to merchants as well as gripes about the cost of achieving compliance and criticism that the standard is failing to keep pace with hacking threats.

Joshua Corman, a security strategist who has been a long term critic of the payment card industry standard, tweeted that he wasn't impressed by the PCI's explanations.

For better or worse, PCI DSS is the established payment card industry standard. It's an important but somewhat dry subject so great credit goes to the folks who put together a rootin’-tootin’ Country & Western song that summarises the 12 main requirements of the standard (a hat-tip to security industry veteran Graham Cluley for drawing our attention to this animated effort, below).

Comedy country and western infosec video.

A visual timeline of PCI DSS can be found here.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.