An acute shortage of people joining the cyber security workforce and malaise on the part of businesses has been cited as reasons for a low level of PCI DSS certification amongst retailers across industries.
According to Verizon’s 2017 Payment Security Report, just 55.4% companies assessed were fully PCI DSS compliant at interim validation. While the numbers are encouraging compared to 48.4% in 2015, it is worrying that just over half of those accepting payments are cyber security certified. This basically means that nearly half of stores, hotels, restaurants, practices and other businesses are still failing to maintain compliance from year to year. And also failing from passing on the advantages of using of a certified and secure system to customers.
Gabriel Leperlier, head of Continental Europe Advisory Services GRC/PCI said: “The numbers are so low because to be certified, you need to have a lot of controls in place. You need to be compliant not just at the same time every year but every day of the previous year. Companies need to be able to show detailed logs for the whole year as well as have resources in place to scan and pentest their own systems. The ability to discover vulnerabilities on their own systems on the part of businesses is key to being certified.
“We were testing the systems and servers of a company while assessment and spotted that their logging system had not been working for 8 months. For that duration of time nobody had noticed this! This obviously meant that the business wasn’t compliant any more.
“If a security expert had been in place at the business, he would have analysed the logs. If this was a financial institution, they could have alerted customers saying they could have been breached or asked for a forensic investigator.
“If we combine the findings of this report with that from the Verizon data breach investigations report, you realise that every single data breach has been at businesses that have been less than compliant. They would never have discovered if a data breach occurred.
“We know it isn’t just about buying the right technology but instead about people and processes. To be efficient, a business needs to have proficiency in IT security. We realise that they have IT security teams without experts in the company and this is a matter of great concern to us. For example, in financial institutions, in the last 2 years, IT security teams have grown by between 100-200% and they are primarily made up of web developers and system administrators. These people do not have a security background. The level of proficiency needed is just not available in the market.
“The fact is that there is no unemployment in IT security for those with the right credentials. People with the right skill set are either too expensive or organising the right workforce is difficult. The salary in cyber security is good and for this reason many people pretend they are security experts. Most businesses take the decision to not fire these guys but put them in a growing team.
"The need for IT security experts is acute right now. Teams have to be able to analyse what’s going on just by looking at systems. They should be able to detect an attack during early stages- whereas a system admin will see two printers talking to each other, a security expert will see one printer scanning the other for information.
Another observation in the report is that organizations that have implemented standards such as PCI DSS through dedicated security compliance programs tend to lose focus once initial compliance is achieved. When asked how that happened, Leperlier said: “Our interim assessment shows they definitely lose focus in 2-3 years time. It can be one of two things- businesses either don’t have enough people to maintain compliance or lose focus. It is very much a reflection of human behaviour. It takes a huge deal to be compliant and can usually take upto 3 years.”
“Although initial cost may be expensive, staying compliant is not difficult. Being compliant is more about processes than money. We have some small companies who have been compliant for years and use payment service providers whereas some big ones fail. It is not about the size of the company.
“Gap analysis is usually carried out by our consultants on multiple customers. This report is then analysed by sectors: IT, retail, hospitality etc. We have detail on where companies are having difficulty, what needs improving and where we need to go.
“We are also saying in the report that the main issue we saw for businesses is the effectiveness of running a secure system. If they follow examples to validate everything in their system, it will be sustainable in time.
“Secure transmission of customer data on an open network like the internet or wifi network is critical to being certified as compliant. Businesses need to secure it end to end. Companies who are finding it difficult to adapt need to remember that they need to do so not because of the technicality but because they need to provide people with the same level of security across all their channels.