Where PCI compliance fails: Security testing, network monitoring

If you ask most folks in business IT to finish the sentence “PCI compliance is _____”, the single most unironic and demonstrative answer you’d probably get would be “hard.”

A big part of why PCI is hard is due to the sheer number of details involved in compliance, as a new report from Verizon indicates. That said, the one area where most companies failed with compliance, according to the report, may be more a reflection of companies’ willingness to cut corners than of PCI’s tough standards. But how true is that?

PCI: A work in progress

The Verizon 2014 PCI Compliance Report, released on the tail of the one-year anniversary of 3.0 version of the PCI DSS standard, recognizes how difficult it is to be compliant. If anything, the report makes the case that compliance is better thought of as a matter of degrees than absolutes — and that the more degrees of implementation a company can apply, the less generally vulnerable it’ll be.

Also, the report has been engineered to deal with the tidal wave of criticism, much of it from the industry it’s been designed to serve, about PCI’s utility and adequacy. Oracle chief security officer Mary Ann Davidson had her own pithy words about the PCI Council requiring software vendors to speak up about vulnerabilities even for unpatched products.

That specific criticism is addressed indirectly, as evidenced in the report’s choice of wording: “Efforts to comply distract companies from what’s really important: security.” Verizon’s take is that PCI compliance and security are complementary, and improving one helps improve the other.

As a further laurel branch to critics, the report notes that PCI remains a work in progress, and “there are several important criticisms of the PCI DSS in particular that remain open to discussion even after the enhancements, clarifications, and expansions in version 3.0.” It’s hard to say the PCI Council has been entirely ignorant of the changing face of the industry; it has standards for cloud security, and the report delves into some of the more exotic security issues that can arise exclusively in cloud environments. But the contents of the report aren’t likely to ward off accusations that PCI is too complex and too difficult for its own good.

Where companies fall most short

Of all the charts, tables, and graphs in the report detailing degrees of compliance with different parts of the PCI spec, the most striking can be found on page 15. Entitled “Summary of compliance by requirement,” it lists what percentage of the companies profiled were compliant with which of the 12 PCI 3.0 requirements and to what degree. Nobody got a perfect score in any category, but compliance is up across the board.

What one category of compliance remained the biggest Achilles’ heel? Requirement 11, or “Regularly test security systems and processes,” which includes vulnerability scanning, penetration testing, auditing of network resources, and so on.

Where most organizations still failed with Requirement 11 involved the use of internally launched scans, not using penetration testing, and not properly securing wireless access points. The report blames companies’ tendencies “to opt for the cheapest, quickest and most superficial testing that will allow them to ‘check the box’.” Again, the report views a lax approach to security as its own punishment, with PCI noncompliance an insult added to existing injury.

It isn’t difficult to see how the year-over-year jump in overall scores for Requirement 11 — from a pathetic 11.3 percent in 2012 to a more respectable 40 percent in 2013 — might have been spurred by a general increase in network security issues, post-Snowden, and not simply a burning desire to adhere to PCI’s regs. If one of the nice by-products of not being hacked is PCI compliance, that says less about the virtues of PCI compliance in the abstract than it does about the need for any company to protect its interests.

Security and PCI are never finished

The idea that PCI standards are perpetually incomplete and may best thought of as being so is easily seen by looking at the headlines. Retailer Neiman Marcus believed it had security measures that exceeded PCI compliance, yet it was hit with a malware attack of surprising strength. The malware in question was cutting-edge stuff, provoking questions about how much emphasis PCI should place on being on guard against next-generation threats, how the compliance assessment process should work, and so on.

One other issue this affair brought up — which seems crucial to data security in any environment — is whether PCI 3.0 should mandate encryption for data in motion as well as data at rest. It currently doesn’t, and that lack isn’t even discussed as one of the key criticisms against PCI in the report. Instead, the topic’s been relegated to Appendix B of the report, which notes that it only validated its first hardware solution in late 2013, and “P2PE is still not widely deployed, partly due to a lack of suitable approved solutions — these are only now appearing on the market.”

Such a dilemma seems symptomatic of PCI as a whole. It’s unwise to make recommendations that people will find difficult or expensive to come into compliance with, but hard to ignore how sometimes that means good advice gets sidetracked. Here’s hoping for better compliance through 2014 — not in spite of PCI’s recommendations, but because of them.

This article, “Where PCI compliance fails: Security testing, network monitoring,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.