PCI DSS Compliance: How Well Are Companies Doing?

Verizon recently published a detailed report analyzing the level of PCI DSS compliance of thousands of surveyed companies, including where they comply and where they fail to meet PCI DSS requirements.

PCI DSS compliance impacts many organizations around the world – basically any business that deals with credit card and credit card holder information. The goal of the PCI international security standard is to protect cardholder data regardless of the payment channel, whether a debit, credit, physical store or online store.

PCI DSS compliance is broken down into 12 requirements and 289 controls and sub-controls. The major news out of the Verizon research is that compliance remains a issue for the majority of businesses impacted by PCI DSS. Verizon found that:

-          Only 11.1% of companies passed all 12 requirements

-          Only 51% of companies passed 7 of the 12 requirements

Some of the most interesting data and comments start on page 17 where, for each of the 12 requirements, the report highlights the most challenging compliance elements.

Here are some areas where Palo Alto Networks technology can help. (For a complete review of how we support business in their requirement to comply to PCI DSS you can download our white paper “How to Reduce the Cost and Complexity of PCI Compliance.”)

-          Page 18 on Requirement 1 - Install and maintain a firewall configuration to protect cardholder data:  “…firewalls and routers being configured more generally, allowing a wide range of ports to ensure that applications function.”

The Palo Alto Networks security platform and our next-generation firewall are specifically designed to address this challenge. By identifying traffic at the application level, we allow security team to only authorize in the cardholder environment a selective set of applications and block everything else regardless of ports.

-          Page 25 on Requirement 5: “…the threat from malicious software can change quickly, so it is important that organizations keep abreast of current trends and developments…”. The Palo Alto Networks platform includes a natively built threat detection solution, which automatically blocks known threats and identifies unknown threats. Our innovative architecture allows the systematic inspection of suspicious traffic without any degradation of performance and is thus effective at stopping malware as they morphs.

-          Page 30 on Requirement 7: “…Permissions should be granted based upon the specific role and responsibility, which must be tied directly to the applications and processes a user requires access to in order to perform their defined role.”  Our next-generation approach to security is perfectly aligned with this requirement: our ability to identify and control traffic based on applications (App-ID), users (User-ID) and content (Content-ID) delivers the most granular way to control user access to the cardholder environment. Using a combination of App-ID and User-ID in security policies, security administrators can limit specific users to specific application functionality.

-          Page 38 on Requirement 10 and Log management. Our platform supports the on-going management of a full audit trail of traffic and users flowing in and out of the cardholder environment. All of the items that we identify and control (applications, ports, users, src/dest IP addresses, threats and more) are also logged. First, the reports are produced at the user level which directly matches the compliance audits which require identify base reporting and avoid the tedious work of matching IP to users. In addition, the logs can be forwarded to a syslog server for both archival and advanced reporting purposes including solutions like Splunk that can be used for advanced analysis of logs and traffic.

We’ll be looking at PCI compliance and other major enterprise security issues during Ignite 2014, taking place March 31-April 2 in Las Vegas.

Register now and check out our latest, most-up-to-date list of sessions, which include an industry-specific panel covering healthcare, financial services and public sector, and a presentation by ISA99, the standards body for industrial automation and control systems security.