Verizon recently released its 2011 Payment Card Industry Compliance report, a companion report to its annual Data Breach Investigations report that we discussed here.  The PCI compliance report presents findings based on Verizon’s work as a Qualified Security Assessor (QSA) (a QSA conducts an annual audit to determine if a company is in compliance with PCI DSS).  

The executive summary from the report states:

  • Essentially unchanged from last year, only 21 percent of organizations were fully compliant at the time of their Initial Report on Compliance (IROC). This is interesting, since most were validated to be in compliance during their prior assessment. What causes this erosion over the course of the year?
  • Also similar to our prior report, organizations met an average of 78 percent of all test procedures at the IROC stage, with some variation in compliance scores. For instance, about 20 percent of organizations passed less than half of the DSS requirements, while 60 percent scored above the 80 percent mark.
  • Organizations struggled most with the following PCI requirements: 3 (protect stored cardholder data), 10 (track and monitor access), 11 (regularly test systems and processes), and 12 (maintain security policies).
  • PCI Requirements 4 (encrypt transmissions over public networks), 5 (use and update anti-virus), 7 (restrict access to need-to-know), and 9 (restrict physical access) showed the highest implementation levels
  • Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council—even less so than in the previous year.
  • A mini-study comparing governance practices to the initial compliance score suggests that the way organizations approach compliance significantly factors into their success.
  • Once again, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients.
  • Analysis of the top threat actions leading to the compromise of payment card data continues to exhibit strong coverage within scope of the PCI DSS. For most of them, multiple layers of relevant controls exist across the standard.

Like the data breach report, the compliance report also identifies the “Top Threat Actions.”  The top five threat actions from breaches in 2010 were: (1) malware sending data to external sites; (2) backdoor malware; (3) exploitation of default or easily guessable credentials; (4) exploitation of backdoor or command and control channels; and (5) physical tampering.