Apr 15 2009
The 2009 Data Breach Investigation by Verizon is out, and I have to be honest, all I’ve had time to read so far has been pages 41-43. Why those pages? Because they’re the pages that specifically call out the statistics surrounding breaches affecting merchants who are (or should be) complying with the Payment Card Industry Data Security Standards (PCI DSS). Not at all surprising, at least to me, is that the study found that PCI compliance is important and that 81% of the companies researched in this report weren’t PCI compliant at the time of the breach. Of course, that also means that 19% of the companies breached had either self-assessed or been assessed by a QSA and were thought to be compliant at the time of the breach.
These numbers make sense to a certain degree; whether you agree or disagree that PCI is raising the bar on merchant security overall, the fact is that for many smaller businesses, it’s forcing them to put into place safeguards they may not have thought of or been willing to pay for otherwise. For larger merchants, the PCI DSS forces them to codify and staff many of the security process they may have already have had in place, as well as requiring them add new layers of security they didn’t have had in place before. It would be very interesting to see the numbers sliced and diced based on the size of the merchants involved or on whether they were self-assessed or had a QSA do an assessment.
What really disappoints me is what’s shown in Table 10: Results of post-breach PCI DSS reviews conducted by Verizon Business IR. This table shows exactly which requirements were and weren’t in place at the time of the breach. The big winner was not surprisingly requirement 5, use anti-virus, which is probably the easiest requirement for most businesses to meet. But even that requirement was only in place in 62% of the instances! The big losers were requirement 6, develop secure systems and requirement 10, monitor your systems, at only 5% in place for each of these requirements! To a certain degree I can understand that developing secure systems is hard and that some businesses might have a hard time developing secure coding practices and system configurations, but to think that only 5% of merchants involved in breaches were properly monitoring their own systems makes my head spin. It probably shouldn’t because the chance of a network suffering a breach goes down drastically when people actually pay attention to what’s happening on their systems.
What scares me is that the next biggest lack of compliance is in requirement 3: Protect stored data. Only 11% of the merchants that were studied for this report were in compliance with this requirement when they were breached. Yet if you read the PCI Council’s Prioritized Approach for PCI DSS 1.2, they state that a merchant’s first priority should be to ‘remove sensitive authentication data and limit data retention.’ Why? Because that’s where the majority of the risk is for most merchants. If you’re properly encrypting cardholder data, a compromise will be damaging to your reputation, but it won’t be nearly as damaging to your bottom line. Even better, if you don’t keep cardholder data or never have it to begin with, you might still get breached but you won’t be the next name on the compromise hit parade. Merchants need to take a long look at their data retention policies as well as investigating some of the newer tokenization possibilities out there. Remember, the bad guys can’t steal what you don’t have.
Merchants complain, sometimes very vocally, about the money and effort required to implement PCI. It can be expensive, especially if security has been on the back burner at a company, which it often is. In some ways, they’ve mortgaged the security of their company in favor short term savings. They’ve assessed the risk and come to the conclusion that it’ll be easier to ignore the problem and hope they don’t get compromised. In many cases, the merchant’s been right, they haven’t been compromised and might not be. But for the merchants that were covered in Verizon’s report, they played roulette and lost. If you’re one of the merchants who’s complaining that securing your business in order to take credit cards, maybe you’re looking at the equation wrong; you should be looking at the cost of securing your enterprise in order to take credit cards and evaluating whether or not it’s worth the costs involved. I seriously believe some merchants either shouldn’t be taking cards at all or should be outsourcing that part of their operations to a third party who specializes in securing the data. Sometimes it’s easier and cheaper to have someone else do the work than doing it yourself. And sometimes, it’s not worth the risk of taking credit cards, even though that’s unthinkable to some merchants.
I’m the first to admit I’m looking at Verizon’s report through a very narrow lens. It supports my view that even if PCI isn’t the perfect solution to securing merchants and cardholder data, it has been making an impact on the overall security of merchants. We still have a long way to go, PCI has to evolve and merchants have to be more scrupulous about putting the right controls in place, but it’s having a positive effect. In Verizon’s own words, “these breaches, in general, did not occur in organizations that were highly compliant with PCI DSS.”