The Achilles Heel of PCI ComplianceVerizon Report: Most Breaches Could Be Prevented
This week, Verizon Business releases its 2010 Payment Card Industry Compliance Report, a study that analyzes 200 selected PCI assessments conducted in 2008 and 2009 by Verizon's Qualified Security Assessors. The report reviews how companies are attaining and maintaining PCI compliance. Among the key findings this year: Businesses and organizations struggled most with PCI requirements regarding tracking and monitoring access, as well as meeting the demands for system and process testing and the protection of stored cardholder data.
"Companies struggle with anything they have to maintain over time that requires constant attention," says Baker, director of risk intelligence for Verizon and one of the PCI report's authors. "Just because you were validated at a point in time does not mean that's going to remain static all year."
Lack of DiligenceWhat often leads to breaches at once-PCI-compliant companies, Baker says, is a lack of consistency and diligence. Companies are not maintaining PCI compliance. "If you don't maintain compliance by constantly reevaluating and upgrading systems, that compliance will erode over time. It erodes down to the point where they are weak, and that's when a breach occurs," he says.
Of organizations Verizon reviewed or assessed for the report, only 22 percent were consistently compliant with PCI requirements from one year to the next. "They gain compliance and they're validated in year one, and then by year two they've lost a little bit," Baker says. "That's a very interesting trend."
Baker is quick to point out that the companies Verizon found that had been breached were not PCI compliant at the time, but had been PCI compliant at some point in the past.
Most payments companies, he says, are doing a better job at staying compliant, but improvements in corporate mindsets are needed. "Certain attacks are going down, and I think a lot has to do with the PCI DSS. But other types of attacks are going up," Baker says.
In Verizon's Data Breach Investigations Report, which also was recently released, Verizon notes that while the number of data base breaches has dropped, the compromise of records has increased. "Personal information in records, like medical records, has value to criminals," Baker says. "But there is a lot of positive momentum in that range, as well," to better protect consumer information.
PCI Common SenseThe vast majority of breaches are preventable, Baker says. Only a small percentage of breaches require sophisticated controls. "Following the security basics, Security 101 and 102, consistently and comprehensively across the organization is rule No. 1," Baker says. "And that would knock out many of these breaches."
Verizon notes that 90 percent of all breaches could have been prevented with something simple, like changing a password. Chris Novak, who works in Verizon's forensics unit, said during his presentation at the PCI Community Meeting in September, that only 15 percent of breaches are high-tech. "The majority of the breaches we see are of moderate complexity," he said. SQL injections top the list and are the most easily prevented, Novak says.
Baker also points to the exploitation of default credentials or stolen credentials as ranking high on the compromise list. "An attacker just goes and starts hammering away at an application and tries 'admin' and 'password' and other combinations that are set at the factory on certain devices and systems," Baker says. "All too often, just trying that a few times allows the attacker in, and then he can do whatever he wants to do from that point on."
The use of keyloggers that take control of a desktop and steal a user's password also is common. "The hacker gets the password and sends it to some external entity or site, and then that entity uses that password to enter the corporate network," Baker says. "We are seeing that quite often. The hacks that are most prevalent are the ones that have been with us a number of years."