PCI Compliance: Improvements NeededGovernment and Financial Set the Pace; Healthcare Security Lags
Wider acceptance of and adherence to the PCI-DSS is a good sign, says Fred Kost, director of at Cisco, which provides PCI compliance support for a cross-section of industries. "All of these industries are embracing the standard, and the sentiment is very positive about PCI," Kost says.
Referencing results from a cross-industry survey commissioned by Cisco and conducted by InsightExpress, Kost says industries from education and financial-services to government and healthcare have fully embraced data security standards, and most plan to make investments in new technology and security measures in the new year. "They want to be secure and they want to comply," he says.
The survey results include responses from 500 IT decision makers from various sectors. Despite the business diversity of the respondents, one of the biggest challenges all the industries reported relates to employee education, and the steps businesses and organizations must take to ensure they are not inadvertently compromising cardholder data.
For more information about the survey, visit Cisco's website.
During this interview, Kost discusses:
- Challenges industries face from an education and technology standpoint, where compliance with PCI standards is concerned;
- Investments in emerging technologies, such as virtualization, that industries are already making, despite lacking PCI guidance from the PCI SSC; and
- Why any entity that accepts cards for payment must think about security first and PCI compliance second.
Kost is the director of security solutions marketing at Cisco and responsible for marketing the Cisco Self-Defending Network security portfolio. Before Cisco, Kost was involved in network security and held executive marketing roles with Symantec, nCircle, Recourse and Blue Lane, and has twenty years of combined marketing and product development experience. He holds a bachelor's degree in electrical engineering from Purdue University and an MBA from the Kenan-Flagler Business School at the University of North Carolina.
TRACY KITTEN: New findings suggest security is improving, but challenges related to outdated infrastructures still exist. I'm here today with Fred Kost, who oversees security solutions at Cisco, which recently conducted a survey that revolves around PCI security standards?
FRED KOST: Cisco has a broad portfolio of IT products that span the IT infrastructure, from routing, switching, security, wireless, and we actually help our customers deploy solutions that help them achieve PCI compliance. So, PCI actually touches a lot. And with particular regard to the survey, we often go out and talk to the market to understand where the issues and challenges are. This time we chose to have a discussion around PCI, particularly given the recent changes in the standard that took place last fall, just to understand how organizations are progressing in PCI compliance and what kinds of challenges are they facing.
PCI Touches Numerous IndustriesKITTEN: Now this survey includes information that was collected from about 500 IT decision makers who oversee PCI compliance programs for various industries, from education and financial services to government and healthcare. How was this survey conducted, and what kinds of variations are you finding where PCI compliance is concerned among the various industries?
KOST: We talked about different verticals and we wanted to make sure we got a sample across different industries. What we found, in general, is that most of the survey respondents, 70 percent, felt confident they could pass the PCI audit today. I think there is a good grasp of the requirements, and organizations are making great progress in keeping up with the standard and are in a great position to pass an assessment. In fact, if you look at the spending, about 75 percent of those organizations said they expect to increase compliance spending over the next year. So, not only have they achieved compliance, but there are investments being made to maintain compliance as we deal with business expansion, new technologies and those kinds of things. As we look across industries, we actually saw pretty consistent data across. There were a few nuances with the financial-services industry, which was an early adopter of PCI and has different controls in place versus say healthcare, where we haven't seen the controls in place quite as long. So, we saw some minor differences, but, in general, it is very consistent across industries.
KITTEN: You mentioned that most of the industries feel they could pass a PCI compliance audit today, but there are some challenges, especially in the areas of technology and infrastructure. Of the survey's respondents, 87 percent say PCI is necessary for protecting cardholder data; but 32 percent said that they did have a need to update antiquated systems, and that was a top challenge when it came to PCI compliance. What do some of these infrastructure concerns tell us about the industry, and why do they continue to pose such challenges?
KOST: Well, I think anytime you do an assessment and around PCI, you are going to find systems that are either outdated, or don't have the latest encryption or security capabilities that are required. So, it is going to drive an upgrade to antiquated systems. I think that is part of what the PCI standards needed to do: provide a good guideline for how to have the latest security and best practices in place. I think it is not uncommon that 32 percent came back and said that one of the challenges they had was upgrading antiquated systems. It is actually interesting that 43 percent, on that same question, said that educating employees about protecting cardholder information is one of their greatest challenges. So, not only do we have technology challenges with upgrading antiquated systems, but, as in many security discussions, it continues to be an issue around educating users and driving awareness of the security challenges.
Healthcare Struggles with SecurityKITTEN: Now, when we take a step back and look at the various industries that were included in this survey, government seemed to fare better than other sectors, with 85 percent passing their initial PCI assessments; healthcare fared the worst with only 72 percent getting a passing grade at the time of assessment. What makes government stand out and why is healthcare struggling?
KOST: I think if you look at the different industries, there are probably different kinds of maturity levels and different drivers that could potentially explain that. For instance, in the government area, we have had things like FISMA and different accountability standards in place for years, so there may be more of a maturity curve, as far as driving to achieve compliance and having controls around IT infrastructure. Healthcare, although most people point to HIPAA, is potentially less advanced, as far as achieving compliance. You look at others, like the financial industry, where there have been a tremendous amount of regulatory controls, and they are able to achieve compliance more quickly and confidently than some of the others. I think in each of those industries you start to see, potentially, some differences for their challenges and opportunities.
KITTEN: One of the things we have talked about quite a bit in the PCI realm relates to the Data Security Standard itself, as well as the clarifications surrounding the standard. More than 85 percent of respondents, across the board, said that they were aware of clarifications and recommendations that related to new technologies and new standards put out by PCI. What are you learning about from financial institutions? How are they faring, when it comes to PCI compliance and implementing these news types of technologies? And how did they rate relative to government and healthcare?
KOST: As you mentioned earlier, a lot of the new technologies, like wireless and mobility, virtualization and even encryption are driving changes in the standard, and as those technologies come into organizations, obviously having to embrace them and put things in place. If you look across the financial vertical, 70 percent were satisfied with their current security virtualization posture, so they were kind of ahead of the pack, as far as in making sure that the virtualized infrastructure was secure. We do see, again, that the financial industry has a tremendous maturity model for some of the controls they have put in place, so it is not surprising that they were leading there. We also looked at wireless and looked at the use of things like intrusion prevention, intrusion detection in the wireless environments, and saw across-the-board large percentages, up in the 60-percent range, having those technologies in place today.
KITTEN: The payments industry is very diverse. How are the results broken down among card issuers, financial institutions and merchants?
KOST: We actually categorized the industries into those five that we mentioned in the beginning, so for purposes of the survey, we categorized them as financial. We actually didn't peel back that segmentation with the financial industry, unfortunately.
Emerging Technologies: Banks Forge Ahead of GuidanceKITTEN: And when we go back and look at some of the survey results for investments in new technology that secures payments and financial transactions, regardless of whether PCI guidance exists, what can we glean from the findings? What can we learn about the payment space, as far as the investments that they are making?
KOST: Sure. I think what we are seeing is that they are anticipating the new technologies and they are moving ahead of the standard to be ready. The number we threw out regarding having confidence in good virtualization, I think, is evidence of that, at least in financial services. Those organizations are anticipating what is happening with technology, where these technologies are coming in, and are putting processes and controls in place. And when it comes to things like virtualization, it is a moving, evolving best practice, which I think continues to make it very relevant for so many organizations.
KITTEN: Are financial players leery of making investments in some of these technologies when no guidance yet exists? It sounds like they are just ready to step forward, so that they are ready when the guidance does come down?
KOST: I think so. In many of these situations, the technology is kind of coming into the environment, so there is a business advantage and a real reason you want to deploy it. It makes sense to make that investment and move forward. If it was some sort of mandate or edict and you couldn't see the business relevance, then I imagine someone would wait for a standard. But I think the relevance of the standard here is really following best practice on what people need to put in place.
Biggest Challenge: Educating Employees about Data SecurityKITTEN: And beyond those points that we have noted above, what do you deem to be top three to five takeaways from the report, especially when we look at the different sectors: government, financial-services and healthcare?
KOST: Well, I think first, across the industries, all organizations have taken steps and they are very confident in their ability to pass the assessments. I think they are fully embracing the standard. But also, on the second point there, the sentiment there was very positive. We asked about whether they you feel more secure, and the majority said they definitely feel more secure having put PCI in place. We also gave them the option to say "No, I don't feel more secure." So, the majority of folks not only feel they are achieving compliance, but they are saying that they are more secure because of those compliance efforts. Often it is said that compliance does not mean security, and in this case, there is a big security benefit to being compliant; I think that is being recognized very strongly by organizations.
Another takeaway relates to their challenges; there were a few technology challenges, and, Tracy, you mentioned antiquated systems. But, really, the biggest challenge they are facing relates to educating employees about how to properly handle cardholder data. That also speaks to the fact that we can put great technologies in place, but we have to remember there are people involved, and it is often a combination of people, process and technology that helps us deal with these things. In this case, there is process and technology running around the standards, but we also can't predict the people part. We have to make sure that we are educating them on how to handle cardholder data.
KITTEN: And what conclusions has Cisco drawn, based on the survey's results about security investments? Could more investments be made in educating employees? And what about investments in technologies that these various industries plan to make over the next 12 months?
KOST: I think from a technology perspective, we can clearly see organizations tracking and looking at investments in wireless, encryption, and beginning to look at virtualization. Those technologies have come into pervasive use. I think that the people are an ongoing challenge that many organizations face. As we do surveys on other topics, we very commonly find that that's a top issue: "How do I make sure that I can make my users aware, trained and educated about the risks?" I think that one continues to be an issue around PCI. At the point of sale, I may have a point-of-sale application or some place where an employee actually comes into contact with payment information and I need to make sure that employee is aware of that. So, I think balancing the technology with the people seems to be the challenge that organizations are facing.
KITTEN: One of the things that comes up quite a bit in the financial space, when it comes to PCI, is that financial institutions themselves should help lead the charge on educating some of their own customers and members. Do you see the financial industry helping to spearhead some of this movement, or helping to work with some of the entities that they are connected with the payment space?
KOST: I think they have, and I think part of it is because of their maturity level, been best-practice leaders are leading by example. But also, because some of those organizations are a party to acquiring transactions and are helping to process transactions and have merchant relationships, I think financial institutions have a role. They have taken steps to help educate their partners and customers.
KITTEN: And, in closing, Fred, what final thoughts would you like to share about security and PCI in 2011?
KOST: I think it is a continually evolving world we live in. We talked a lot about new technologies, and that we have seen the standards evolve and change. So, I think virtualization is an area to monitor and see what to do from a technology perspective. PCI relates to many more industries; it is almost very uncommon, now, for a business not to accept some sort of payment card for transactions. I think as businesses look at coming under PCI compliance, and look at how they can, through segmentation isolation and different technologies, control the systems that have access to payment-card information, they will make achieving a PCI more successful.