Apr 15 2009

Verizon Data Breach Investigation: The numbers say PCI IS important

Published by at 6:48 am under PCI,Risk

The 2009 Data Breach Investigation by Verizon is out, and I have to be honest, all I’ve had time to read so far has been pages 41-43.  Why those pages?  Because they’re the pages that specifically call out the statistics surrounding breaches affecting merchants who are (or should be) complying with the Payment Card Industry Data Security Standards (PCI DSS).  Not at all surprising, at least to me, is that the study found that PCI compliance is important and that 81% of the companies researched in this report weren’t PCI compliant at the time of the breach.  Of course, that also means that 19% of the companies breached had either self-assessed or been assessed by a QSA and were thought to be compliant at the time of the breach.

These numbers make sense to a certain degree; whether you agree or disagree that PCI is raising the bar on merchant security overall, the fact is that for many smaller businesses, it’s forcing them to put into place safeguards they may not have thought of or been willing to pay for otherwise.  For larger merchants, the PCI DSS forces them to codify and staff many of the security process they may have already have had in place, as well as requiring them add new layers of security they didn’t have had in place before.  It would be very interesting to see the numbers sliced and diced based on the size of the merchants involved or on whether they were self-assessed or had a QSA do an assessment.

What really disappoints me is what’s shown in Table 10:  Results of post-breach PCI DSS reviews conducted by Verizon Business IR.  This table shows exactly which requirements were and weren’t in place at the time of the breach.    The big winner was not surprisingly requirement 5, use anti-virus, which is probably the easiest requirement for most businesses to meet.  But even that requirement was only in place in 62% of the instances!  The big losers were requirement 6, develop secure systems and requirement 10, monitor your systems, at only 5% in place for each of these requirements!  To a certain degree I can understand that developing secure systems is hard and that some businesses might have a hard time developing secure coding practices and system configurations, but to think that only 5% of merchants involved in breaches were properly monitoring their own systems makes my head spin.  It probably shouldn’t because the chance of a network suffering a breach goes down drastically when people actually pay attention to what’s happening on their systems.

What scares me is that the next biggest lack of compliance is in requirement 3:  Protect stored data.  Only 11% of the merchants that were studied for this report were in compliance with this requirement when they were breached.  Yet if you read the PCI Council’s Prioritized Approach for PCI DSS 1.2, they state that a merchant’s first priority should be to ‘remove sensitive authentication data and limit data retention.’  Why?  Because that’s where the majority of the risk is for most merchants.  If you’re properly encrypting cardholder data, a compromise will be damaging to your reputation, but it won’t be nearly as damaging to your bottom line.  Even better, if you don’t keep cardholder data or never have it to begin with, you might still get breached but you won’t be the next name on the compromise hit parade.  Merchants need to take a long look at their data retention policies as well as investigating some of the newer tokenization possibilities out there.  Remember, the bad guys can’t steal what you don’t have.

Merchants complain, sometimes very vocally, about the money and effort required to implement PCI.  It can be expensive, especially if security has been on the back burner at a company, which it often is.  In some ways, they’ve mortgaged the security of their company in favor short term savings.  They’ve assessed the risk and come to the conclusion that it’ll be easier to ignore the problem and hope they don’t get compromised.  In many cases, the merchant’s been right, they haven’t been compromised and might not be.  But for the merchants that were covered in Verizon’s report, they played roulette and lost.  If you’re one of the merchants who’s complaining that securing your business in order to take credit cards, maybe you’re looking at the equation wrong; you should be looking at the cost of securing your enterprise in order to take credit cards and evaluating whether or not it’s worth the costs involved.  I seriously believe some merchants either shouldn’t be taking cards at all or should be outsourcing that part of their operations to a third party who specializes in securing the data.  Sometimes it’s easier and cheaper to have someone else do the work than doing it yourself.  And sometimes, it’s not worth the risk of taking credit cards, even though that’s unthinkable to some merchants.

I’m the first to admit I’m looking at Verizon’s report through a very narrow lens.  It supports my view that even if PCI isn’t the perfect solution to securing merchants and cardholder data, it has been making an impact on the overall security of merchants.  We still have a long way to go, PCI has to evolve and merchants have to be more scrupulous about putting the right controls in place, but it’s having a positive effect.  In Verizon’s own words, “these breaches, in general, did not occur in organizations that were highly compliant with PCI DSS.”

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far

6 Responses to “Verizon Data Breach Investigation: The numbers say PCI IS important”

  1. LonerVampon 15 Apr 2009 at 7:05 am

    Disclaimer: Have yet to read the report.

    But my opinion on PCI being relevant is that PCI is infinitely defensible and will always be relevant and never be a problem.

    It’s like a best practices approach. If someone is breached, PCI can infinitely say it’s not their fault, but rather the entity at the time was non-compliant, or a QSA did a bad review, or whatnot.

    I’m not passionately against PCI by any means (I think it’s valuable!), but I tend to be realistic with how deftly they’re able to position themselves to never be at fault but always be relevant…no matter what happens.

  2. Alexon 15 Apr 2009 at 7:25 am

    It’s worth noting that the data set represents a mix of merchants from all levels.

  3. […] first pass at the PCI specific portions of the Verizon report. Network Security Blog >> Verizon Data Breach Investigation: The numbers say PCI IS important Tags: ( reports […]

  4. […] knew about the 2009 Data Breach Investigation by Verizon, but did you know they’re having a roadshow in support of the […]

  5. idblackboxon 21 Apr 2009 at 7:41 pm

    You should have been on the phone with my client when I told her that the company she was using to process credit cards was not on the list of Validated Payment Applications! She went into this long spiel of how she doesn’t want to switch because she likes the payment application company and blah blah blah.

    One of the biggest challenges I see for most of these companies that are not on board yet is to get them to change their thought process. Standards, policies and procedures are all fine and good, but when not many company employees buy into it as a whole, it will be struggle for the entire process.

    If everyone could envision the idea of, “I scratch your back, you scratch mine”, maybe they would realize, I should treat sensitive data in my company as I would want another company’s employees to treat mine :)

  6. RateNerdon 27 Apr 2009 at 5:29 am

    The rate of CC theft is really alarming – to the point that you can get CC numbers for as little as $0.06 according to Symantic’s report on the black market. I did an ROI calculation and even at that price it is still tempting for fraud – http://ratenerd.com/black-market-prices-for-stolen-credit-card-identity-theft-1080

%d bloggers like this: