If you ask most folks in business IT to finish the sentence "PCI compliance is _____", the single most unironic and demonstrative answer you'd probably get would be "hard."
A big part of why PCI is hard is due to the sheer number of details involved in compliance, as a new report from Verizon indicates. That said, the one area where most companies failed with compliance, according to the report, may be more a reflection of companies' willingness to cut corners than of PCI's tough standards. But how true is that?
PCI: A work in progress
The Verizon 2014 PCI Compliance Report, released on the tail of the one-year anniversary of 3.0 version of the PCI DSS standard, recognizes how difficult it is to be compliant. If anything, the report makes the case that compliance is better thought of as a matter of degrees than absolutes -- and that the more degrees of implementation a company can apply, the less generally vulnerable it'll be.
Also, the report has been engineered to deal with the tidal wave of criticism, much of it from the industry it's been designed to serve, about PCI's utility and adequacy. Oracle chief security officer Mary Ann Davidson had her own pithy words about the PCI Council requiring software vendors to speak up about vulnerabilities even for unpatched products.
That specific criticism is addressed indirectly, as evidenced in the report's choice of wording: "Efforts to comply distract companies from what's really important: security." Verizon's take is that PCI compliance and security are complementary, and improving one helps improve the other.
As a further laurel branch to critics, the report notes that PCI remains a work in progress, and "there are several important criticisms of the PCI DSS in particular that remain open to discussion even after the enhancements, clarifications, and expansions in version 3.0." It's hard to say the PCI Council has been entirely ignorant of the changing face of the industry; it has standards for cloud security, and the report delves into some of the more exotic security issues that can arise exclusively in cloud environments. But the contents of the report aren't likely to ward off accusations that PCI is too complex and too difficult for its own good.
Where companies fall most short
Of all the charts, tables, and graphs in the report detailing degrees of compliance with different parts of the PCI spec, the most striking can be found on page 15. Entitled "Summary of compliance by requirement," it lists what percentage of the companies profiled were compliant with which of the 12 PCI 3.0 requirements and to what degree. Nobody got a perfect score in any category, but compliance is up across the board.
What one category of compliance remained the biggest Achilles' heel? Requirement 11, or "Regularly test security systems and processes," which includes vulnerability scanning, penetration testing, auditing of network resources, and so on.