The State of PCI Compliance, 2017
Complying with the Payment Card Industry Data Security Standard (PCI DSS) can be hard. Businesses have been working on doing so for over 13 years, since PCI DSS Version 1.0 was released on December 15, 2004. In fact, it’s so hard that a significant fraction of businesses are still not in full compliance. According to the recently released 2017 Payment Security Report from Verizon, only 55.4% of businesses that claim last year. This is actually a significant improvement over previous years: in 2012, they found a compliance rate of only 11%. The 2017 report is the first time that a (slim) majority of businesses claimed full compliance.
There are lots of reasons to comply with the PCI DSS. In addition to penalties that can be assessed for non-compliance, many of the requirements of the Standard can be considered Security 101, things that absolutely everyone should be doing: installing and running a firewall, protecting against malware, restricting access to systems, requiring users to authenticate, and maintaining a security policy.
But modern IT systems are complicated and hard to manage, so it shouldn’t be too surprising that businesses are having a hard time doing this well. This is particularly true for companies whose IT systems have evolved over many years, resulting in systems a bit like the Winchester Mystery house here is San Jose, where the apparently random construction of the building over almost 40 years resulted in a house that is so odd that people happily pay to see how odd it is. It has staircases that go to nowhere. It has rooms that look like they’re only partially completed. In some cases it’s not really clear what counts as a room and what does not.
Managing an IT system that has grown over time is more than a little like managing the computer equivalent of the Winchester Mystery House. Instead of having a hard time figuring out exactly how many rooms a house has, it can be hard to determine exactly how many authorized users you have (is Bob Smith in Application A the same user as Bob Smith in Application B?). In environments like these, it’s very difficult to make things secure, and the rates of compliance with the PCI DSS that Verizon has seen seem to reflect this unfortunate reality.
The PCI DSS has 12 requirements. Of these, number 3, protecting stored cardholder data, is the one that I’m most interested in (if only because our data protection solutions help people comply with that particular requirement). This may be the only requirement that doesn’t quite fall into the category of Security 101: it’s really more something that requires a mastery of the basics before you do it. And Verizon’s data in their 2017 report shows some patterns for this requirement.
It’s interesting to note that 77% of businesses managed to fully comply with this requirement last year. That’s an improvement of 2% over the previous year. But that big-picture number hides some interesting detail. In particular, full compliance with this requirement fell from 79.1% to 62.7% for businesses in the Americas, while it increased from 69.2% to 100% in the Asia Pacific region (congratulations!), and from 62.5% to 74.4% in Europe.
It’s easier to protect cardholder data now than it was when version 1.0 of the PCI DSS came out. Since then, innovations such as format-preserving encryption let you protect cardholder data while not interfering with your Winchester-Mystery-House IT infrastructure. But it’s apparently still not easy enough. Verizon found that only one of the 12 requirements of the PCI DSS had a lower compliance rate than protecting cardholder data, and that area was number 11, the requirement to test security systems and processes. It seems likely that those Winchester-Mystery-House-like IT infrastructures are also hard to test.
But while we will keep working to find ways to make it easier to protect cardholder data, I’m afraid that we won’t be able to help in that particular area. That’s an area that other people will have to take care of.
About the Author
Luther Martin, Micro Focus Distinguished Technologist, is a frequent contributor to articles and blogs. Recent articles include Relax! Good encryption practices won’t affect app performance in TechBeacon Magazine, The Security of Cryptography and the Wisdom of Crowds, in the ISSA Journal, and The High/low Entropy Rant for Cryptography in the voltage.com blog.