Lack of testing, lack of built-in security, and inadequate protection for stored data lead list of PCI noncompliance items

I figured that since the PCI DSS compliance deadline for Level 1 merchants was this past Sunday that there would probably be a ton of published news reports about it on Monday. There were…and today as well! One that caught my eye was in eWeek on Monday, “Comparison Shows Very Little Shift in PCI Failures.”

Basically the story compared the top 10 PCI DSS compliance failures Verisign had found last year compared to this year. Why didn’t they create a table showing this? Well, I guess they assume you’ll submit your contact information at the Verisign site to get to it within their September 17 report, but it does not have a table showing the year to year comparisons. In fact, I could not find all the numbers for each year that the eWeek report listed. I couldn’t reconcile the information in the eWeek report with the information in the Verisign report…dang it!
I wanted to put what I could find into a rudimentary table format for you, but I can’t get my darn blog site capabilities to cooperate with me! UGH! This has been a trying day on top of so many other things…yes, some other blog topics to cover when I have a less frustration-skewed view of them…
Top 10 PCI DSS Compliance Failures
79% of noncompliance in 2006: Req 3: Protect stored data. This is now #3
74% of noncompliance in 2006: Req 11: Regularly test security systems & processes. This is now #1
71% of noncompliance in 2006: Req 8: Assign a unique ID to each person with computer access. This is now #?
71% of noncompliance in 2006: Req 10: Track and monitor all access to network resources and cardholder data. This is now #?
66% of noncompliance in 2006: Req 1: Install and maintain a firewall configuration to protect data. This is now #?
62% of noncompliance in 2006: Req 2: Do not use vendor-supplied defaults for system passwords and other security parameters. This is now #?
60% of noncompliance in 2006: Req 12: Maintain a policy that addresses information security. This is now #?
59% of noncompliance in 2006: Req 9: Restrict physical access to cardholder data. This is now #?
56% of noncompliance in 2006: Req 6: Develop and maintain secure systems and applications. This is now #2
45% of noncompliance in 2006: Req 4: Encrypt transmission of cardholder data and sensitive information across public networks. This is now #?
I’m somewhat surprised at encryption being failed only 45% of the time. Most of the many, many privacy breaches were a result of data not being encrypted. If the trend is showing that more organizations are encrypting personally identifiable information (PII), then that is a good sign! However, until all mobile PII is encrypted we’ll continue to see a large number of privacy breaches.
The lack of testing and lack of building security into applications is also something that doesn’t surprise me, but is disappointing. Building security in and then testing to ensure it works securely could prevent so many privacy breaches.

Tags: , , , , , , , ,

Leave a Reply