Where most organizations still failed with Requirement 11 involved the use of internally launched scans, not using penetration testing, and not properly securing wireless access points. The report blames companies' tendencies "to opt for the cheapest, quickest and most superficial testing that will allow them to 'check the box'." Again, the report views a lax approach to security as its own punishment, with PCI noncompliance an insult added to existing injury.
It isn't difficult to see how the year-over-year jump in overall scores for Requirement 11 -- from a pathetic 11.3 percent in 2012 to a more respectable 40 percent in 2013 -- might have been spurred by a general increase in network security issues, post-Snowden, and not simply a burning desire to adhere to PCI's regs. If one of the nice by-products of not being hacked is PCI compliance, that says less about the virtues of PCI compliance in the abstract than it does about the need for any company to protect its interests.
Security and PCI are never finished
The idea that PCI standards are perpetually incomplete and may best thought of as being so is easily seen by looking at the headlines. Retailer Neiman Marcus believed it had security measures that exceeded PCI compliance, yet it was hit with a malware attack of surprising strength. The malware in question was cutting-edge stuff, provoking questions about how much emphasis PCI should place on being on guard against next-generation threats, how the compliance assessment process should work, and so on.
One other issue this affair brought up -- which seems crucial to data security in any environment -- is whether PCI 3.0 should mandate encryption for data in motion as well as data at rest. It currently doesn't, and that lack isn't even discussed as one of the key criticisms against PCI in the report. Instead, the topic's been relegated to Appendix B of the report, which notes that it only validated its first hardware solution in late 2013, and "P2PE is still not widely deployed, partly due to a lack of suitable approved solutions — these are only now appearing on the market."
Such a dilemma seems symptomatic of PCI as a whole. It's unwise to make recommendations that people will find difficult or expensive to come into compliance with, but hard to ignore how sometimes that means good advice gets sidetracked. Here's hoping for better compliance through 2014 -- not in spite of PCI's recommendations, but because of them.
This article, "Where PCI compliance fails: Security testing, network monitoring," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.