Skip Links

Why 41 Percent of You Would Fail a PCI Audit

By Bill Brenner, CSO
March 01, 2010 12:11 PM ET

CSO - Security vendors are launching a gazillion products this week at RSA Conference 2010, but hidden in all of those press releases are a few nuggets that illustrate the big picture trends. Here are a few of the more interesting items found in the press room this morning:

QSAs: 41 Percent of Companies Would Fail PCI auditNew research from The Ponemon Institute suggests nearly half of the companies out there would bomb a PCI security audit.

The report says that while only two percent of businesses outright fail compliance audits, 41 percent would fail if unable to rely on temporary compensating controls to meet Payment Card Industry Data Security Standard (PCI DSS) requirements. These alternative routes to compliance must meet QSA approval, but they may be just temporary fixes or be eliminated by future changes to PCI DSS. Their prevalence appears to indicate businesses are still coming up to the speed with the security standard introduced in 2006.

"This study is the first ever to analyze PCI DSS compliance trends from the QSA perspective and reveals some very interesting information about the way organizations approach compliance and how they protect sensitive information," said Dr Larry Ponemon, chairman and founder of The Ponemon Institute. "PCI DSS compliance isn't easy and it's definitely not all about any one technology or process. This study indicates a significant concern among QSAs that many merchants are primarily focused on complying with PCI and less on what should be equally important -- protecting sensitive information."

When it comes to compliance, QSAs find the most difficult requirement for merchants to meet is restricting access to cardholder data on a business-driven need-to-know basis (PCI DSS Requirement #7) and QSAs believe this is the most important part in achieving PCI DSS compliance. QSAs also find the most significant threats to card data are in merchant networks and databases containing cardholder data. Not surprisingly these are the places where criminals have caused the highly publicized data breaches in recent years.

The news is hardly surprising, given the growing chorus of complaints from the security community that companies are worried more about completing a compliance checklist than implementing true security.

That was one of the main messages delivered by Joshua Corman, research director for enterprise security at The 451 Group, during that firm's 4th Annual Client Performance Conference in November.

"Organizations have made PCI DSS and compliance in general the basis of their information security policies," he said at the time. "They're basing security on sloppy logic from Visa and MasterCard and in the process are ignoring some very bad state-sponsored threats. As a community, we have not evolved at all."

He compared PCI DSS to No Child Left Behind, the education reform law championed by former President George W. Bush. The law has been criticized by some who believe it has stifled innovation in education and focused too much on standardized testing.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News