European businesses are lagging far behind the rest of the world in compliance with global payment card industry security standards, according to a new survey.
Just under one-third (31 per cent) of surveyed European businesses met 80 per cent or more of the PCI Data Security Standard (DSS) requirements, compared with 75 per cent of those in the Asia-Pacific region and 56 per cent in the United States.
The survey attributed the lower rate of compliance among European businesses to regional differences due to breach notification laws, varying legal requirements and levels of adoption, as well as other cultural differences.
Too many firms also treat Payment Card Industry (PCI) compliance as a one-off test rather than an ongoing requirement, said Verizon, which carried out the study. It further reported that most organisations taking card payments fail to meet ongoing compliance with PCI DSS.
Areas where businesses struggle the most in achieving compliance include security testing (23.8 per cent), security monitoring, and the ability to effectively detect and respond to data compromises (17 per cent), as well as protecting stored sensitive data (55.6 per cent).
Overall, global compliance with the PCI standard has improved over the past 12 months. More than 82 per cent of organisations were compliant with at least 80 per cent of the PCI standard at the time of their annual baseline assessment in 2013, compared to just 32 per cent in 2012 – a major improvement.
The report is based on findings from hundreds of real world PCI DSS assessments conducted by Verizon between 2011 and 2013. The study, based on real actual casework, runs the numbers on how well businesses comply with each of the 12 specific PCI requirements.
Ciske van Ooste, director of operations at Verizon's PCI Security practice, told El Reg that failure to keep security controls up to the mark is putting businesses at an increased risk for data breaches, which often result in both financial losses and damages to an organisation's reputation. He argued the standard line of PCI backers that no PCI-compliant firm has ever suffered a breach.
"It's possible that there might be a breach case where a company is in full compliance but I haven't seen one," Van Ooste told El Reg. As befits his role, Van Ooste was reluctant to criticise PCI beyond acknowledging it was "imperfect" when it came to risk management.
Other security experts remain deeply critical of PCI even after recent reforms of the standard designed to make it more than a tickbox compliance check-list.
For example, Avivah Litan, Gartner Research vice-president and an expert in banking security and related topics, recently argued that PCI failed both Target and US consumers in the case of the recent mega-breach at the US supermarket chain as well as similar incidents before it.
"The PCI (Payment Card Industry) security standard has largely been a failure when you consider its initial purpose and history," Litan writes. "Target and other breached entities before it, such as Heartland Payment Systems, were all PCI compliant at the time of their breach. These companies spent untold sums of money annually certifying compliance to the payment card networks and their acquiring banks but it didn’t stop their breaches."
Bob Russo, the PCI-DSS council's general manager, on the other hand, argues that no standards changes were needed in the wake of recent breaches at Target and Neiman Marcus. Less controversially, Russo also said that while technologies such as chip and PIN (EMV) had the potential to reduce fraud in retail environments, they would do little or nothing to prevent fraud involving credit card purchases online. Verizon's Van Ooste echoed this latter point: "Chip and PIN wouldn't help prevent card-not-present fraud".
Russo's interview with Bank Info Security can be found here.
Other criticisms of PCI include the argument that it pushes liability for breaches down to merchants as well as gripes about the cost of achieving compliance and criticism that the standard is failing to keep pace with hacking threats.
Joshua Corman, a security strategist who has been a long term critic of the payment card industry standard, tweeted that he wasn't impressed by the PCI's explanations.
It is disappointing PCI DSS has so poorly adapted/evolved w/ Tech/Adversaries/Biz; it is unacceptable they keep claiming infallibility— Joshua Corman (@joshcorman) February 3, 2014
For better or worse, PCI DSS is the established payment card industry standard. It's an important but somewhat dry subject so great credit goes to the folks who put together a rootin’-tootin’ Country & Western song that summarises the 12 main requirements of the standard (a hat-tip to security industry veteran Graham Cluley for drawing our attention to this animated effort, below).
A visual timeline of PCI DSS can be found here.