Survey: Just 1 in 3 Euro biz slackers meets card security standards European businesses are lagging far behind the rest of the world in compliance with global payment card industry security standards, according to a new survey. Just under one-third (31 per cent) of surveyed European businesses met 80 per cent or more of the PCI Data Security Standard (DSS) requirements, compared with 75 per …
PCI-DSS is not perfect and won't prevent breaches. However, what is in the standard is not rocket science and is good general security practice. From a business perspective, it should be seen as the bare minimum you need to do in order to protect your customers' card data as part of a wider security policy.
For small businesses (and even large ones), the simplest way to handle it is to use a third party payment service provider to handle card data so that card data never even touches your systems. Some will even handle tokenisation which allows you to do recurring charges. And some will even provide fraud monitoring systems where you can configure the rules yourself. Of course there are still situations where you want to build your own solution because you have special requirements but the value of building your own compared to the risks of getting it wrong is diminishing fast.
Having actually passed a PCI-DSS audit I can tell you that the the problem with PCI-DSS is that it looks great until you actually have to go through the trouble of maintaining a compliant system. It's not the technical requirements that are the problem it's the mountains of paperwork. When faced with having to spend more time filling out forms than actually applying system updates it ended up that the PCI-DSS portion of our network got security updates less often than the rest of it and that's a very bad thing.
There are also parts of the standard that have nothing to do with actual security such as the demand that all system updates be applied to a test machine before going live. It's as if someone read every book on system administration and then tried to codify the combined content and I wonder if whoever wrote the standard has actually ever maintained a system for themselves.
The suits just see PCI as another badge and yet another irritation from the underlings.
They want the badge, they don't care how they get it so long as it is the cheapest possible way and they totally miss the point of why they are doing it in the first place.
When it goes wrong they blame the underlings for doing it badly rather than taking it on the chin and saying it was because they couldn't give a s**t and allocated no time or resource.
They get all "tense and erect" in the week before the audit but they soon forget about it all and go back to swinging their d**ks about at each other.
If you try to raise any issues you get marked as a trouble maker. If you raise the issues in the week before the audit you get berated for not letting them know sooner.
PCI, to the most extent, is about covering the a***s of senior management and the CC firms. T**ts, the lot of them.
Maybe they should make the PCI compliance requirements consistent so that is is actually possible to meet them all and still run a functional public website.
We are not currently compliant, as we refuse to turn off SSL 3, TLS1.0 and TLS 1.1. If we do that, most legacy browsers will be unable to connect to the sites. (and by "legacy" I mean Firefox < v27, Chrome < v29, IE < v11, Safari < v6, etc, etc) so basically a large proportion of our client base.
Also, in order to be compliant with the BEAST mitigation requirements, we offer RC4 level ciphers first, but that's not compliant either...
The cost of implementing PCI-DSS can be pretty high, especially if you're a small business that needs some flexibility that using a purely third party payment processing service can't provide. So, a lot of businesses simply don't bother - because they can't afford to do it without seriously eating into their income.
I know I have had to cut back on features in a system I'm writing, as my employer can't afford to go through the whole PCI-DSS auditing process, so instead things are handled by a third party in their entirety when it comes to payments. This means the system is not as good as it could be due to funds alone.
Except there tends to be a large cost assocaiated with it, unless your dealing P2P Encryption devices which are completely devoid of your network infrastrucutre. For instance:
Take a new merchant installing software for the first time, lets say its a SME with 300-700 people.
There is a good chance that:
1) The have no one trained on security nor staffed by security.
2) Don't have the network configured properly for PCI.
3) Are about to scream at the software vender when they need to improve the network.
So lets start by the first most obvious and basic requirement. A firewall. Now, most companies have one at the edge but not all have two or three doing DMZ work. If the only have one you have really three choices.:
1) Segregrate off a port on the current one (If you have the ability too, I'm thnking UTM's) works ok for smaller deployments,
2) Purchase another FW for DMZ (A requirement for PCI, but more than I care to explain)
3) Bring in a separte ISP line and add a firewall.
Were trying to keep it cheap so lets say we have a FW in place and have ports we can use off the FW for DMZ work and segregration requirements. Right now were running on our admin time (a cost I'd assocate with any project). We now must consider our servers.
Physical servers are actually less complex regarding PCI IMO, but even smaller SME are virtualized so this tends to be either an additional cost in hardware, or we need to go through the process of configuring our Virtual Environment, which with virtual you run into the problem of PCI servers and non pci servers on the same hardware. (Larger facilities can afford to have dedicated VM hosts for PCI VM's, SME don't really.)
I could keep going on this, I see it every day. We havn't even got into the cost of having a QSA come in, or the added requriements for remote access (most SME's I come accross don't use two-factor) and being SME's with no security professional or trained staff they don't have:
1) An Information Security Charter
2) Don't perform risk assessment, vulnerablity assesments, or gap analysis
3) Have no method for Incident Response
4) Have piss poor physical access
5) Have no documentation on log analysis, network maps, etc
So,cost tends to be a big point.
Having project managed the successful achievement to the standard for a major UK lottery I can confirm that meeting this standard and adhering to it from an operational perspective is the least I would expect from any organisation that processes my card data. You only have to look at the recent breaches reported on this website to see how many organisations are caught out by even basic phishing/social media and hacking activities. It annoys the hell out of me that Apple insist on having my CVV data held on their systems just to set up an Apple device. If it weren't for pester power of my children I'd ban Apple products from my house for this simple breach of the standards.
I'm struggling to reconcile two of the paragraphs in this article.
"Just under one-third (31 per cent) of surveyed European businesses met 80 per cent or more of the PCI Data Security Standard (DSS) requirements, compared with 75 per cent of those in the Asia-Pacific region and 56 per cent in the United States."
vs
"Overall, global compliance with the PCI standard has improved over the past 12 months. More than 82 per cent of organisations were compliant with at least 80 per cent of the PCI standard at the time of their annual baseline assessment in 2013, compared to just 32 per cent in 2012 – a major improvement."
Is the second paragraph talking about all submissions to the PCI registry, vs the first paragraph talking solely about a small sample of them? If so, why is the sample so unrepresentative?
For a group claiming to preach best practice, you would think they could produce a version 3 document with edit marks and wouldn't be using pdf web pages.
The PCI chain of liability is there for one reason only and that is so there is someone to sue to recover the costs of reissuing cards when some payment provider goes bust after a breech.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
