Verizon recently released their 2014 PCI Compliance Report. For the industry it makes for dark reading. In essence, Version 2.0 is difficult to achieve and now Version 3.0 is upon us which is going to be more onerous.
The Payment Card Industry Data Security Standard Version 3.0 came in to effect at the beginning of this year. It promises to bring more parts of the infrastructure in to scope and make shared environments very difficult to certify. So you’d think this is because adherence to the current Version 2.0 was high and the new version was to bring the user base along the road a little but further – WRONG. No, the populous has been left behind apparently in order to achieve an almost evangelical effort to hermetically secure all environments.
The front page of the report says
“In 2013, 64.4% of organisations failed to restrict each account with access to just one user – limiting traceability and increasing risk (Requirement 8).”
This is the basics that almost two thirds of companies who responded to the survey did not achieve. More than one user having access to the card holder data expands the area of attack unnecessarily. Fundamentally, it means that the basic precaution of not giving anyone access to the data other than those who have a business need to access it is not being followed.
The August 2013 Nilson Report that is referenced in this work points to the need to keep our deterrents in place. Card fraud losses in 2012 topped $11bn globally according to this report and the curve is on an ever steeper upwards trajectory. It is past time to act, but how if the standard is not being adhered to by those who are attempting to gain certification in it.
Possibly most telling was that only 11.1% of companies were completely compliant when audited in 2013. This did equate to a 3.6% rise in the metric, but it is still far from being comforting.
With the expected drop in compliance with the new version and the unsure role of cloud in the standard, be prepared for a lot of work when achieving your next certification round. My advice is to avail of the Version 2.0 route this year if you can and keep on trying. The biggest danger is that the disconnect between compliance and the standard becomes so large that firms jettison it entirely. If this happens, security will no longer have a measure and we all know what happens to KPIs that are not measured.
If you want to do a bit more reading download the report from:
http://www.verizonenterprise.com/pcireport/2014/insider/