Verizon’s 2018 Payment Security Report uncovers a worrying downward trend in PCI DSS compliance.
Verizon’s latest Payment Security Report (PSR) highlights a drop in the number of organisations that are compliant with the Payment Card Industry Data Security Standard (PCI DSS) from 54.4% in 2016 to 52.5 in 2017.
A small drop. But significant in the face of growing cyber security threats and an ever increasing reliance on digital technology. So why is this happening?
According to Gabriel Leperlier, Verizon’s head of Continental Europe Advisory Services, it’s getting ever harder to maintain control of security systems. In part this is because the standard is evolving.
For instance there is a requirement in PCI DSS to migrate from SSL security to a secure version of TLS security. SSL is a data encryption protocol, which along with the earliest versions of the TLS protocol, is considered unsafe. But many organisations still use it to secure websites, emails and file transfers. Changing is often seen as an unwelcome headache by over-stretched IT departments.
But it isn’t just the standard that is changing. The whole digital environment is becoming more complex. Business is more and more reliant on the connectivity that digital technology provides, communication that no longer happens within the “safe” walls of a corporate IT network, but out in the cloud and between privately owned devices.
Small wonder then that with a constantly increasing, and ever more invisible, IT estate to manage, some IT managers are getting cyber security fatigue and defaulting to a tick-box attitude that invites problems.
This isn’t true everywhere. Companies in Asia (78%) are more compliant than companies in Europe (47%) or the Americas (40%). And some industries, notably IT services (78%) are more compliant than others such as retail (56%) and hospitality (39%). These differences point to strong process and cultural influences at play.
The problem with supply chains
The first influence that Gabriel Leperlier identifies in the supply chain. He sees data breaches in many e-commerce companies, large and small. The issue he sees is one of control, or lack of it.
“Service providers deliver solutions”, he says “but those service providers have their own service providers who in turn have their own providers, and so on”. This makes it impossible for e-commerce companies to audit their security because eventually you are so far down the supply chain that “the provider doesn’t know who you are and your auditors can’t get access”.
The chain of responsibility needs to be strengthened. Shorter supply chains would help. But so would a clearer understanding of responsibility for security along the supply chain.
People: the weakest link
Another problem is people. The risk is mainly of human failures. For instance there can be an over-reliance on technologies such as Artificial Intelligence (AI) to identify when issues need addressing. And of course AI can help you to understand where your vulnerabilities lie.
But ultimately you need people. People to check the logic of AI analysis. And people to define what actions are needed and which should be prioritised. Only people can check that automated processes are working well.
Take web servers. They can be vulnerable to out-of-date systems. System administrators who rely on reports from systems that have not been updated will be relying on inadequate data. Unfortunately those reports are unlikely to tell the sysadmin that the system has not been updated and that the data is faulty. Too much trust, combined with a failure to undertake basic checks, can be fatal.
A reliance on self-assessment can make things worse. Yes, self-assessment is an important part of the control process. But it has to be done properly. If it is done by people who are not sufficiently knowledgeable about what they are checking problems inevitably arise.
Worse though is when the people doing the assessment have conflicts of interest, perhaps because they are “marking their own homework” or because there is a disincentive to report a non-compliant process. You need rules in place to ensure for instance that process auditing is not undertaken by the same IT people that set up and manage the process.
Decoupling compliance and security
Compliance with standards such as PCI DSS is important. It makes you safer. Safer, but not safe. And there is a key role for auditors here: emphasising to management that while there may be compliance with a standard this guarantees very little.
After all, compliance with most standards represents a snapshot, a picture of an organisation at a particular moment. Just because we are compliant today (perhaps when we are making a special effort in order to gain compliance) that doesn’t mean we will be compliant tomorrow. There is a need to maintain compliance, a challenge that Gabriel Leperlier sees as particularly challenging.
Another problem is that in many organisations, compliance is a tick box exercise. The very minimum for compliance is delivered. But minimum compliance in one area combined with minimum compliance in another area, and perhaps another area, can in practice mean a vulnerability.
These problems in no way reduce the importance of PCI DSS or other standards. Instead what is needed is genuine commitment to them, combined with a way of measuring compliance maturity, an opportunity to identify how improvements can be made, and plan for them, as well as identifying foreseeable problems (such as the CISO falling ill) and planning for those. PCI DSS takes account of this with a section on incident response, including requirements around training and preparedness.
A final point from Gabriel Leperlier. “Standards need auditing” he says. “But the more time you spend auditing, the more information you will get. There is always more to discover!”
Verizon's latest Payment Security Report is available here.
Gabriel Leperlier is the senior manager of security consulting at Verizon EMEA. He leads the European team focused on delivering a variety of service risk and compliance services to customers. These range from cyber risk programs; penetration testing; governance, risk and compliance programs as well as compliance with the Payment Card Industry Data Security Standard (PCI-DSS).
Gabriel joined Verizon in 2008.
Prior to Verizon, Gabriel was a Cryptographic Operations and Office Manager at CertPlus/keynectis (now Opentrust) as well as a Cryptographic Transmission Specialist in the French Air Force.
Gabriel has the following industry qualifications - Certified Information Security Manager CISM®; Qualified Security Assessor Professional by PCI-DSS Council (PCI-DSS QSA); Payment Card Industry Professional (PCIP)™; Certified Information Systems Security Professional CISSP®; Certified Information Systems Auditor CISA®; Certified ITIL® V3 Foundation as well as a Was ISO 27005 Risk Manager.
Image under licence from iStockPhoto.com, credit Golibo