jueves, 13 de octubre de 2011

2011 Verizon Payment Card Industry Compliance Report

This report analyzes findings from actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments conducted by Verizon’s team of Qualified Security Assessors (QSAs).

The report describes where these organizations stand in terms of overall compliance with the DSS and presents analysis around which specific requirements are most and least often in place during the assessment process. Furthermore, we overlay this assessment- centric data with findings from Verizon’s Investigative Response services to provide a unique risk-centric perspective on the compliance process. In a section new to this year’s edition, significance tests are conducted to examine the relationship (or lack thereof) between various organizational practices and initial compliance scores.

  • - Essentially unchanged from last year, only 21 percent of organizations were fully compliant at the time of their Initial Report on Compliance (IROC). This is interesting, since most were validated to be in compliance during their prior assessment. What causes this erosion over the course of the year?
  • - Also similar to our prior report, organizations met an average of 78 percent of all test procedures at the IROC stage, with some variation in compliance scores. For instance, about 20 percent of organizations passed less than half of the DSS requirements, while 60 percent scored above the 80 percent mark.
  • Organizations struggled most with the following PCI requirements: 3 (protect stored cardholder data), 10 (track and monitor access), 11 (regularly test systems and processes), and 12 (maintain security policies).
  • PCI Requirements 4 (encrypt transmissions over public networks), 5 (use and update anti-virus), 7 (restrict access to need-to- know), and 9 (restrict physical access) showed the highest implementation levels
  •  Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council—even less so than in the previous year.
  • A mini-study comparing governance practices to the initial compliance score suggests that the way organizations approach compliance significantly factors into their success.
  • Once again, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients.
  • - Analysis of the top threat actions leading to the compromise of payment card data continues to exhibit strong coverage within scope of the PCI DSS. For most of them, multiple layers of relevant controls exist across the standard.


Link relacionado:
- Verizon PCI report finds firms struggling to maintain compliance
- Informe anual de PCI: la seguridad es un proceso

No hay comentarios: