Eighty percent of retailers and other PCI-impacted organizations fail interim compliance assessments. According to the 2015 PCI Compliance Report by Verizon Enterprise, retailers are finding that maintaining compliance is probably harder than achieving compliance.
When it came to data breaches, the same Verizon research found that all retailers were out of compliance at the time of their attacks. Retailers who experience a breach with customer data loss suffer long-lasting effects that are much greater than the cost of regulatory fines, notification, and investigation. Breached retailers also generally experience lasting damage to consumer trust and revenues.
For more information on the impact of security incidents, we recommend The Real Price Tag of Retail Store Data Breaches.
In this blog, you'll learn why retailers fail their interim assessments and some of the most common PCI compliance mistakes. We'll also provide some insight into how security-focused retail organizations ensure 24/7/365 compliance.
Why are Retailers Failing Interim PCI Compliance Assessments?
How can an organization fall out of compliance and fail to notice until they've been breached? Blame it on a constant state of flux. The "average" enterprise retail network may have thousands of changes on a daily basis as they add endpoints, patch software, or make other rote changes.
While the policies and activities of security teams can vary significantly, the most commonly failed PCI requirements by breached organizations, according to Verizon's 2015 PCI study, were:
- Requirement #6. Develop and maintain secure systems and applications.
- Requirement #10. Track and monitor all access to network resources and cardholder data.
Common Mistakes Retail Companies Make With PCI Compliance
A "successful" data breach with theft of protected information is a series of failures. Most commonly, humans, policy, and technology fail to protect assets adequately. While non-compliance with PCI Requirements #6 and #10 correlate with breaches, what are the mistakes causing organizations to slip into noncompliance in the first place?
According to a recent panel survey of data security experts by Digital Guardian, the most common security and PCI errors include:
- Over-reliance on obsolete "perimeter protection" instead of a focus on data protection.
- Too much reliance on limited tools, such as firewalls.
- Failure to adopt "ongoing intelligence" to monitor assets actively.
- Focusing too much on critical servers while ignoring other endpoints.
- Settling with the bare-minimum approach to security and compliance monitoring.
PCI is a holistic approach to information security. However, the 2016 Verizon Data Breach Investigations Report (DBIR) found that many people aren't doing the basics. Only 25% of organizations realize they have suffered a security incident within a few days, and often fail to patch utility hardware.
Maintaining control and compliance in a complex network requires total oversight 24/7/365. Without the ability to remotely monitor your endpoints, data, and parameters, you may not know that you've lost compliance, even if you're meeting the bare minimum PCI requirements for penetration testing and file integrity monitoring.
3 Ways Retailers Can Maintain Constant PCI Compliance
1. Develop mechanisms for identifying non-obvious risks.
Your security team is (rightly) worried about the risks of your employees' mobile devices. But are you so worried you haven't noticed that your VoIP phones are using administrative password defaults, or your utility server hasn't been patched in almost a year? These less obvious risks can represent easy paths of entry for cybercriminals.
2. Test constantly.
Very few organizations are aware of the glaring risks that cyber criminals exploit during crime sprees. By using tools like CimTrak or other network-wide intelligence platforms, you can identify the areas of your network that have unknown compliance issues
3. Make compliance a 24/7 job.
PCI isn't cheap or easy. However, understanding when you are moving in and out of compliance due to subtle changes in your network doesn't need to require constant, manual analysis.
With a tool like CimTrak for PCI compliance, you can receive real-time notifications of emerging risks. This enables you to fix the vulnerability before a criminal finds it.
Can Constant PCI Compliance for Retailers be Easy?
Constant PCI compliance is close to impossible if you're trying to oversee your network and close vulnerabilities manually. However, with the right technology, PCI compliance can be simple for retail organizations.
To prevent point-of-sale attacks, phishing, advanced persistent threats (APT), or other forms of security attack from resulting in data loss, exceeding PCI compliance requirements may be the smartest plan. CimTrak makes it easy to understand when you've moved out of compliance and to remediate adverse changes in real-time.
For more actionable insights, download our PCI Compliance Checklist today!
January 3, 2017