This is a good read if you missed it – the most recent report by the ever-interesting Verizon PCI and Risk Intelligence Teams on the state of PCI Compliance.
It's the usual mix of "no surprise there" moments followed by a few "Huh, really? REALLY?" sections.
Overall it doesn't exactly paint a rosy picture of the security of our collective credit card information. In fact, only 21% of companies were found to be compliant at the time of the Initial Report on Compliance (IROC).
Things are actually worse this year than last year too. As they say: "The entire focus of the DSS is to protect the sensitive data; the fact that there is a drop in adherence to this protection at the time of an IROC is alarming."
The IROC isn't the final word on compliance, but what seems worrisome is that so many companies that were compliant after the final report last year fail to meet the standard for this year's initial report.
So one of two things have happened – either something fundamentally changed that caused them to go out of compliance, or they somehow "fell off the wagon" in the intervening months.
It's probably a bit of both. After all, IT operational demands change, systems change, even the opinions of QSAs evolve over time. On the other hand, good security policies should be able to cope with change, and keep a business secure – and therefore compliant. Or at least, mostly compliant, depending on your point of view.
And there's the rub. Sure enough, one of the areas where organizations fared the worst is Section 12 of the PCI DSS: "Maintain a policy that addresses information security."
Only 39% of organizations passed this section, second only to regularly test security systems and processes (37%).
Setting and putting good policies in place is hard – it requires a sound understanding of the risk facing the business, the assets to be protected, and the interaction of business processes and IT services. Keeping polices up to date, and ensuring that they are enforced, is even harder. This is where, in my humble opinion, so many businesses are falling off the PCI wagon.
It's easy to get focused on technical controls, on the mechanics of security practice, and the technology that implements them. The problem is that this is only half the battle (if that). Keeping all that relevant and engaged with a business struggling to compete in a dismal economic environment, when shareholders and senior management are demanding more, faster, cheaper, is a Herculean task.
The Verizon team rightly doesn't throw any stones in the report, nor should they. Security folks have a rough job to do, and to be honest, I think it's only getting harder to keep information secure. And as the report shows, they have a long way to go.