If you ever try to get data about the compliance rate from the PCIco or the Payment Brands you would know how challenging it is: probably more challenging than finding the Holy Grail. So in this context, the release of the Verizon 2011 Payment Card Industry Compliance Report is quite enlightening for the security industry and merchant community. It gives us a good sense of the reality of the field.

Compliance versus Security

We already knew that achieving compliance is not a simple matter, but Verizon’s findings emphasize that not only are companies struggling to be compliant, but it seems even harder for them to keep their compliance status year after year. Achieving compliance definitely isn't the same thing as maintaining compliance. There is no direct relationship between passing a point-in-time validation and being able to maintain compliance.


If overconfidence, complacency and fatigue (or routine) are the common Achilles heels generating this situation, the major cause is clearly the lack of aligment between the compliance and security processes inside organizations. Accoridng to Verizon's report: “Keeping compliance and security apart doesn’t make sense from either a compliance and security perspective." The report indicates that organizations in which compliance and security functions are completely separate meet on average 25 percent less results.


Furthermore, the report underlines that as time goes by, complying with the standards gets harder as the PCIco gives clarification and guidance on interpreting the standards, often narrowing and redefining acceptables practises.


The report also clearly emphasizes that an organization that has worked security into their daily processes can more easily achieve and maintain compliance than one that is performing them merely to meet a validation effort. Organizations that build security into their core processes generaly spend less and achieve more when it comes to validating compliance.  If an organization truly and consistently strives to be secure then it should not require a giant leap to be compliant: they will be compliant as a matter of fact.


The secret to compliance

According to Verizon the secret for maintaining compliance lies largely in treating it as a daily part of conducting business: exactly how one would consider security. So one could reinterprete this statement by “The secret to achieving and staying compliant with PCI DSS is NOT to look at it from the checklist perspective, but rather to consider it as a whole part of your daily security assignments." This is the only way out.


These considerations clearly validate and sustain the observations and recommendations expressed in my webcast about  “PCI: A Compliance or Security Program” hosted by ISACA.


The failure areas


According to the report, the four sections of the PCI DSS most commonly failed are:


Requirement 3: Protect stored cardholder data - mostly issues related to data retention and key rotation.


Requirement 10: Track and monitor access - mostly issues related to application log management and file-integrity monitoring on logs


Requirement 11: Regulary test systems and processes – the difficulties reside in the frequency combined with the expectation that findings are remediated and retested. Lack of time and resources prevent some companies from presenting four “passing” external and internal scans. The most frequent problem is that organizations procrastinate and perform the pen test or scan at the last possible minute of an assessment. Invariably, the result is that they have between 100 – 200 findings to remediate and no hope of getting it done in time.


Requirements 12: Maintain Security policies – mostly issues are related to the lack of critical content and lack of identification of assets that must be protected, poor risk management framework.


Rapid7's eight recommendations


Rapid7’s eight recommendations to achieve and stay compliant while being prepared to face your risks:


  1. Don’t just rely on compliance guidelines and requirements. Be aware,understand and assess your own risks, specific to your environment.
  2. Be ready for the unlikely. Don’t think risk prevention; think impact minimization and response to incident.
  3. See and go further than the guidelines and requirements. Consider any compliance program as a subset of your security plan. Not as the plan.
  4. Stop being reactive; be proactive. Don’t wait for updates from the compliance body to change your security tactics when necessary. The heaviness of compliance bodies makes them move slowly.
  5. Stop asking: Am I secure? Ask “How well prepared am I to face the risks?”
  6. Don’t wait for the assessor visits to get a picture of your level of preparation. Establish continuous monitoring of your readiness.
  7. Assign the following working statement to your staff: “Keep us prepared to face the risks”
  8. Nurture this concept of “preparation” inside your organization.


Didier Godart