back to article Verizon: Just 25% of global businesses comply fully with the Payment Card Industry Data Security Standard

A little more than a quarter of companies worldwide are fully compliant with the exacting PCI DSS online payment security standard, according to US telco Verizon. The company's 2020 Payment Security Report found that only 27 per cent of organisations worldwide were in line with the full ambit of the PCI DSS (Payment Card …

  1. Anonymous Coward
    Anonymous Coward

    I bet it's even less in reality...

    ... I have clients who just run down the questionnaire portion of TrustWave's audit, ticking yes on everything. I bet the true compliance number is even less; I wouldn't be shocked if it were single digit. (And yes, I've told them to actually read it and do what's needed...)

    1. Anonymous Coward
      Anonymous Coward

      Re: I bet it's even less in reality...

      The problem is that the questionnaire is set up to where you have to answer "yes" on everything to pass. A single "no" means that you fail.

      I work in IT security. I hold several IT security certifications, and have over 25 years of experience in IT. I can honestly say that it is completely unrealistic to be able to answer "yes" to 100% of the questions on the PCI questionnaire.

      You read the thing, and keep thinking to yourself, that this must have been written by a group of Academics that have never worked in an actual business and have met real human beings.

      The only way to answer "yes" to 100% of the questionnaire would be to close the business and lock up all of the servers in a vault somewhere. This is where the "clicking yes to everything" (the AC above mentioned) comes from.

      I do completely agree with the spirit of what PCI DSS is trying to do. And I agree that as much as 90% of what is being asked is essential to security. The problem is the 10% that is not going to happen in most operating businesses.

      I will also point out that most of the major breaches of credit card information happened at companies that were PCI Level 1 compliant at the time of the breach. That one fact right there shows what a useless exercise PCI really is.

      1. Anonymous Coward
        Anonymous Coward

        Re: I bet it's even less in reality...

        I hate to disagree with you, but I think that the PCI DSS was written specifically for companies that run all of their PCI transactions on IBM's z/OS.

        I have been in IT for over 30 years, have been certified before (it was a collosal waste of my money,) and have had to maintain compliance with the changing PCI standards for more than a decade.

        In my experience small to mid-sized companies need to employee at least 3 specialists working full time to maintain compliance.

        The only changes I'd suggest to the PCI certifictation process would be to make it a requirement that no company over a certain size be allowed to self-certify, and that no company be allowed to use the same auditors for consecutive yearly audits. I have experience with several auditing firms and NONE OF THEM have performed the same checks.

        1. Cliffwilliams44 Silver badge

          Re: I bet it's even less in reality...

          Forcing small businesses to to these thing accomplishes only 2 things, increasing cost to the consumer or putting these small businesses out of business.

          These questionnaires are too vague and don't cover all business situations.

          The questionnaire should start with one question:

          "Do you store customer payment information:

          No: You are done

          Yes: Please continue.

  2. IGotOut Silver badge

    The same Verizon...

    ....that allowed 14million billing accounts to be lifted?

    1. RM Myers
      Thumb Down

      Re: The same Verizon...

      Why yes, yes I believe it is the same Verizon. Remember folks - do as I say, not as I do.

    2. Cliffwilliams44 Silver badge

      Re: The same Verizon...

      No, this is Verizon throwing FUD against the wall.

      Their motivation has nothing to do with security and everything to do with:

      Customer: Oh my God I am out of compliance! How do I fix this?

      Verizon: You pay us!

  3. Jay Lenovo

    Standards make us feel good, but accountability keeps us right.

  4. rcxb Silver badge

    The PCI industry has only itself to blame. The bureaucratic rules are vague enough to drive a truck through, and they accept worthless trash as a security scan to certify compliance.

    Want to know how to pass a Trustwave scan? Suppress web server version strings. That's it. If you let it grab the version, it'll list EVERY vulnerability against that version of the software as if you're vulnerable, never-mind whether you're running a version that's patched the vulns, the vulnerable features are all disabled, and it's duly harded. But disable the version reporting, and you can have loads of unpatched vulnerabilities and rootkits everywhere. There is no ATTEMPT to check. That would cut into their profits, which then cuts into the kickbacks...

    1. stiine Silver badge

      The problem is that they have to scan your production environment, and if you don't have two of them, they you risk their scan destroying that environment. This is because you are allowed to instruct them not to exploit the vulnerabilities that they think they've found. If they were required to exploit vulnerabilities as part of the external scan, every company would need 1/3 more (assuming prod, test, dev environments) resources (ip addresses, hardware, software, etc) in order to allow one environment to be broken during the audit. If you want the cost of everything you buy to go up by 20% (before taxes), push for this change to PCI.

      1. rcxb Silver badge

        1) It's possible to fingerprint a network service besides just reading the version string to better identify if there are any outstanding vulnerabilities.

        2) Most exploits do not need to damage the services or systems.

        3) The whole point of a security scan is for the good guys to identify problems before the bad guys do. If that means causing a DoS incident to a customer to prove they are running running vulnerable software, that's a much cheaper

        4) Customers can schedule security scans, so off-hours, maintenance windows are easily selected.

        5) The cost of widespread credit card fraud is quite significant, too. A company could make a whole business model out of being more secure, and giving their customers lower fees or better rewards due to the decreased fraud from vulnerable companies.

  5. -tim
    Facepalm

    The real compliance rate is much closer to 0.00%

    Compliance requires network scans for all open and previously used protocols. Modern machines all have IPv6 enabled by default so the scans must test for IPv6 yet no scanning vendor I know of does that properly. If the system was ever hooked to a Novel lan or old IBM mainframe, you need to test that as well just to verify that old stuff is all off or come up with a compensating control saying you are very sure the system can't be hacked by something like a Banyan VINES Christmas tree packet.

  6. Anonymous Coward
    Anonymous Coward

    I have been in meetings where systems that were meant to be compliant where not.

    The point was raised, the delivery refused, and questions were asked. Apparently someone (not UK based) who didn't know what it was decided to de-scope it from the project rather than investigate and check. And yes, this was pretty recent (this year).

  7. Security nerd #21

    Having done a fair few PCI DSS compliance reviews over the last 15 years, I've come to the firm conclusion that the whole point of it is to try and offload the responsibility on to the payment provider (i.e. use their code / servers etc) - not try and do it yourself. Some pretty clever stuff being done these days, with field level iframes etc, to make it entirely transparent to the user.

    The PCI standard might have worked in 2004 - but doesn't work in 2020, when using API driven services, fronted by cloud load balancers etc. (Have you ever tried to get a VA scan through Akamai ? ...)

    Get down to the basic SAQ-A, and it ends up with "do you have some InfoSec policies", and "Do you sack people" - job done.

    1. HereIAmJH

      Cloud

      Out of all the critical systems being deployed to the cloud, I wholeheartedly support off loading credit card transactions to a 3rd party. Let PayPal handle all the PCI-DSS compliance headaches. Having spent close to a year of my life, and millions of $$$, working on a project to get our company in compliance, leave this to the experts. Those transactions costs aren't as high as they seem.

  8. EnviableOne

    S2D2

    "Unfortunately we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable,"

    this is the brick wal a lot of us find ourselves bangin our head against, till C level execs start treating security and privacy risk on a par with financial risk, there are going to be a lot of these reports floating

    1. Cliffwilliams44 Silver badge

      Re: S2D2

      They never will because financial risks are real to them and privacy risks are theoretical to them. Until they happen. I've seen my own employer just lip-service security until they wanted to purchase Cyber-Insurance and realized they would pay a high premium unless they actually did something.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like