Digital Transactions Authoritative, insightful and timely information for payments professionals
Supermarket chain Hannaford Bros. Inc. stunned the electronic-payments world when it revealed that it had passed its most recent audit for compliance with the Payment Card Industry data-security standard (PCI) before hackers breached its computer systems and compromised more than 4 million card numbers (Digital Transactions News, March 18, 2008). But other breaches since then and now a new study by Verizon Business show that a merchant’s PCI compliance is no guarantee against a data breach.
In fact, 21% of breached entities subject to the PCI standards had been found to be compliant in their last annual assessment before their breaches, according to Verizon Business’s new 2010 Data Breach Investigations Report. That’s one of the more notable findings in the report from the subsidiary of New York City-based phone giant Verizon Communications Inc. whose services include PCI assessments and post-breach investigations For the first time, the report includes data from the U.S. Secret Service, which investigates many data breaches.
In all, the report draws on information for 2009 from 141 data breaches, 57 investigated by Verizon Business and 84 from the Secret Service. Some good news was that while payment card data were involved in 54% of breaches and accounted for 83% of compromised records, their share is actually declining. Just a few years ago, 80% or more of breaches and nearly all of the stolen data were card numbers, according to Wade Baker, director of risk intelligence at Verizon Business. “In 2009, payment cards were the least dominant in our caseload than they have ever been,” he tells Digital Transactions News.
It’s no surprise that 79% of merchants and other entities subject to the PCI standards were out of compliance before their breaches, but the 21% that had passed their reviews indicates some problems, according to Baker. (The cases involved include only Verizon post-breach investigation clientele.) The chief one is that many merchants regard PCI as something they should be ready for once a year, at assessment time, rather than as an ongoing operation that requires constant vigilance. “I think what we’re seeing is that a company will sort of ramp up and be able to validate themselves against PCI DSS when a QSA [qualified security assessor] comes in, but it just kind of erodes a little bit over the year,” he says.
Failure to pay constant attention to the PCI rules, which include 12 major requirements and more than 200 specific dos or don’ts, doesn’t explain everything, however. In some cases, trusted administrators with access to sensitive data “can decide to go rogue one day. You can’t really regulate and protect against that,” Baker says.
In post-breach reviews of PCI-covered entities that had been in compliance in their last annual assessments, Verizon Business found some improvements in meeting a few specific requirements, but many merchants still fell far short in meeting others. Some 90% in 2009 met Requirement 4, which calls for encryption of data going over public networks, up from 68% in 2008. Compliance with Requirement 9, which mandates restricting who can have physical access to cardholder data, rose to 58% last year from 43% in 2008. Some 40% of the breached clients met Requirement 12 to have an information-security policy, up from only 14% in 2008.
Compliance in other areas actually slipped in 2009, however. Only 53% of the breached companies met Requirement 5, to use and regularly update anti-virus software, down from 62% in 2008. And compliance with Requirement 2, which admonishes merchants not to use vendor-supplied defaults for system passwords and other security parameters, fell from 49% in 2008 to only 30%. “The more and more data I see, anything that has anything to do with maintenance over the long term seems to be a struggle,” Baker says. “It’s a challenge to keep up with all that.”
Verizon Business is in the midst of doing a similar survey of companies subject to PCI that have not been breached. Baker expects the percentages of firms meeting the individual requirements to be higher than the breached firms, but results aren’t in yet.
The Wakefield, Mass.-based PCI Security Standards Council, which administers and updates the rules, next week is expected to preview planned changes to the standards that it will announce later this year.
