Study: About One-Fifth of Breached Entities Were PCI-Compliant

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.digitaltransactions.net/newsstory.cfm?newsid=2603

(August 5, 2010) Supermarket chain Hannaford Bros. Inc. stunned the
electronic-payments world when it revealed that it had passed its most
recent audit for compliance with the Payment Card Industry
data-security standard (PCI) before hackers breached its computer
systems and compromised more than 4 million card numbers (Digital
Transactions News, March 18, 2008). But other breaches since then and
now a new study by Verizon Business show that a merchant’s PCI
compliance is no guarantee against a data breach.

In fact, 21% of breached entities subject to the PCI standards had
been found to be compliant in their last annual assessment before
their breaches, according to Verizon Business’s new 2010 Data Breach
Investigations Report. That’s one of the more notable findings in the
report from the subsidiary of New York City-based phone giant Verizon
Communications Inc. whose services include PCI assessments and
post-breach investigations For the first time, the report includes
data from the U.S. Secret Service, which investigates many data
breaches.

In all, the report draws on information for 2009 from 141 data
breaches, 57 investigated by Verizon Business and 84 from the Secret
Service. Some good news was that while payment card data were involved
in 54% of breaches and accounted for 83% of compromised records, their
share is actually declining. Just a few years ago, 80% or more of
breaches and nearly all of the stolen data were card numbers,
according to Wade Baker, director of risk intelligence at Verizon
Business. “In 2009, payment cards were the least dominant in our
caseload than they have ever been,” he tells Digital Transactions
News.

It’s no surprise that 79% of merchants and other entities subject to
the PCI standards were out of compliance before their breaches, but
the 21% that had passed their reviews indicates some problems,
according to Baker. (The cases involved include only Verizon
post-breach investigation clientele.) The chief one is that many
merchants regard PCI as something they should be ready for once a
year, at assessment time, rather than as an ongoing operation that
requires constant vigilance. “I think what we’re seeing is that a
company will sort of ramp up and be able to validate themselves
against PCI DSS when a QSA [qualified security assessor] comes in, but
it just kind of erodes a little bit over the year,” he says.

Failure to pay constant attention to the PCI rules, which include 12
major requirements and more than 200 specific dos or don’ts, doesn’t
explain everything, however. In some cases, trusted administrators
with access to sensitive data “can decide to go rogue one day. You
can’t really regulate and protect against that,” Baker says.

In post-breach reviews of PCI-covered entities that had been in
compliance in their last annual assessments, Verizon Business found
some improvements in meeting a few specific requirements, but many
merchants still fell far short in meeting others. Some 90% in 2009 met
Requirement 4, which calls for encryption of data going over public
networks, up from 68% in 2008. Compliance with Requirement 9, which
mandates restricting who can have physical access to cardholder data,
rose to 58% last year from 43% in 2008. Some 40% of the breached
clients met Requirement 12 to have an information-security policy, up
from only 14% in 2008.

Compliance in other areas actually slipped in 2009, however. Only 53%
of the breached companies met Requirement 5, to use and regularly
update anti-virus software, down from 62% in 2008. And compliance with
Requirement 2, which admonishes merchants not to use vendor-supplied
defaults for system passwords and other security parameters, fell from
49% in 2008 to only 30%. “The more and more data I see, anything that
has anything to do with maintenance over the long term seems to be a
struggle,” Baker says. “It’s a challenge to keep up with all that.”

Verizon Business is in the midst of doing a similar survey of
companies subject to PCI that have not been breached. Baker expects
the percentages of firms meeting the individual requirements to be
higher than the breached firms, but results aren’t in yet.

The Wakefield, Mass.-based PCI Security Standards Council, which
administers and updates the rules, next week is expected to preview
planned changes to the standards that it will announce later this
year.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php