Feeds

Survey: Just 1 in 3 Euro biz slackers meets card security standards

Yet PCI-DSS has 'largely been a failure', wails securo-bod

Beginner's guide to SSL certificates

European businesses are lagging far behind the rest of the world in compliance with global payment card industry security standards, according to a new survey.

Just under one-third (31 per cent) of surveyed European businesses met 80 per cent or more of the PCI Data Security Standard (DSS) requirements, compared with 75 per cent of those in the Asia-Pacific region and 56 per cent in the United States.

The survey attributed the lower rate of compliance among European businesses to regional differences due to breach notification laws, varying legal requirements and levels of adoption, as well as other cultural differences.

Too many firms also treat Payment Card Industry (PCI) compliance as a one-off test rather than an ongoing requirement, said Verizon, which carried out the study. It further reported that most organisations taking card payments fail to meet ongoing compliance with PCI DSS.

Areas where businesses struggle the most in achieving compliance include security testing (23.8 per cent), security monitoring, and the ability to effectively detect and respond to data compromises (17 per cent), as well as protecting stored sensitive data (55.6 per cent).

Overall, global compliance with the PCI standard has improved over the past 12 months. More than 82 per cent of organisations were compliant with at least 80 per cent of the PCI standard at the time of their annual baseline assessment in 2013, compared to just 32 per cent in 2012 – a major improvement.

The report is based on findings from hundreds of real world PCI DSS assessments conducted by Verizon between 2011 and 2013. The study, based on real actual casework, runs the numbers on how well businesses comply with each of the 12 specific PCI requirements.

Ciske van Ooste, director of operations at Verizon's PCI Security practice, told El Reg that failure to keep security controls up to the mark is putting businesses at an increased risk for data breaches, which often result in both financial losses and damages to an organisation's reputation. He argued the standard line of PCI backers that no PCI-compliant firm has ever suffered a breach.

"It's possible that there might be a breach case where a company is in full compliance but I haven't seen one," Van Ooste told El Reg. As befits his role, Van Ooste was reluctant to criticise PCI beyond acknowledging it was "imperfect" when it came to risk management.

Other security experts remain deeply critical of PCI even after recent reforms of the standard designed to make it more than a tickbox compliance check-list.

For example, Avivah Litan, Gartner Research vice-president and an expert in banking security and related topics, recently argued that PCI failed both Target and US consumers in the case of the recent mega-breach at the US supermarket chain as well as similar incidents before it.

"The PCI (Payment Card Industry) security standard has largely been a failure when you consider its initial purpose and history," Litan writes. "Target and other breached entities before it, such as Heartland Payment Systems, were all PCI compliant at the time of their breach. These companies spent untold sums of money annually certifying compliance to the payment card networks and their acquiring banks but it didn’t stop their breaches."

Bob Russo, the PCI-DSS council's general manager, on the other hand, argues that no standards changes were needed in the wake of recent breaches at Target and Neiman Marcus. Less controversially, Russo also said that while technologies such as chip and PIN (EMV) had the potential to reduce fraud in retail environments, they would do little or nothing to prevent fraud involving credit card purchases online. Verizon's Van Ooste echoed this latter point: "Chip and PIN wouldn't help prevent card-not-present fraud".

Russo's interview with Bank Info Security can be found here.

Other criticisms of PCI include the argument that it pushes liability for breaches down to merchants as well as gripes about the cost of achieving compliance and criticism that the standard is failing to keep pace with hacking threats.

Joshua Corman, a security strategist who has been a long term critic of the payment card industry standard, tweeted that he wasn't impressed by the PCI's explanations.

For better or worse, PCI DSS is the established payment card industry standard. It's an important but somewhat dry subject so great credit goes to the folks who put together a rootin’-tootin’ Country & Western song that summarises the 12 main requirements of the standard (a hat-tip to security industry veteran Graham Cluley for drawing our attention to this animated effort, below).

Comedy country and western infosec video.

A visual timeline of PCI DSS can be found here.

Beginner's guide to SSL certificates

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.