A new Verizon Business report released today shows a correlation between non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) and data breaches. The results revealed that organizations that had suffered data breaches were 50% more likely to exhibit PCI non-compliance.
The report also ranked the top attack techniques used to steal payment card data. Remote access to systems via backdoors was the top attack, followed closely by SQL injection attacks. Poor authentication was also a problem, in particular, attackers exploiting default or easily guessable passwords to gain access to systems storing or processing payment data.
Further, 11% of companies met less than half of the requirements, while 22% met 100% of the requirements. The report also covers compensating controls, and determined that Requirement 3.4, which mandates that a primary account number (PAN) be unreadable, is the control most compensated for.
- 22% of organizations were validated compliant at the time of their Initial Report on Compliance (IROC). These tended to be year after year repeat clients.
- On average, organizations met 81% of all test procedures defined within PCI DSS at the IROC stage. Naturally, there was some variation around this number but not many (11% of clients) passed less than 50% of tests.
- Organizations struggled most with requirements 10 (track and monitor access), 11 (regularly test systems and processes), and 3 (protect stored cardholder data).
- Requirements 9 (restrict physical access), 7 (restrict access to need-to-know), and 5 (use and update anti-virus) showed the highest implementation levels.
- Sub-requirement 3.4 (render the Primary Account Number (PAN) unreadable) was met through compensating controls far more often than any other in the standard.
- Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council.
- Overall, organizations that suffered a data breach were 50% less likely to be compliant than a normal population of PCI clients.