Many organizations handling payment card data do not have the technology in place to simplify the complex process of compiling quarterly testing results now required by the Payment Card Industry data security standards.
These reports are necessary to include in companies' annual compliance assessments, and large organizations that handle cardholder data in older systems face a greater difficulty in deciphering the information needed for audits.
For some, it can become a tedious manual process, resulting in errors or pushing through older test results simply to get the required quarterly testing done on time, said Steven Grossman, vice president of program management at Bay Dynamics.
San Francisco-based Bay Dynamics provides security software for organizations. It also offers a product called Risk Fabric for gathering network data and funneling it into one channel to create a proper quarterly report.
Larger organizations are required to carry out quarterly testing for internal assessment, showing network scans that passed security measures as well as evidence of any remedial activities at the end of the year.
Acquirers also have quarterly reporting requirements to the card brands, but only on the levels of compliance within their portfolios, not for individual organization test results.
A recent study from Bay Dynamics indicates that 81% of IT and security executives manually compiled spreadsheets to report data to their executive boards on a quarterly basis and, ultimately, to PCI security assessors.
"Because most of these organizations are so siloed, without all of the information in one place, all of the focus is on checking the PCI compliance box," Grossman said. "They have to go through a process of actually running the network penetration tests and scans, many from outside vendors, to prove things are encrypted or have multi-factor authentication. They can have literally hundreds of applications and devices to check."
As such, the entire in-house testing process can take "almost the whole quarter to satisfy the quarterly reporting requirement," Grossman added. "It creates a feeling that this is more about being compliant than being secure."
This concern has played out repeatedly in the real world. Target, after making its December 2013 data breach public in early 2014, revealed that it had passed a PCI compliance report in September 2013, just weeks before the breach. That breach led to PCI establishing stronger requirements and testing of third-party remote access to networks.
Years earlier, Heartland Payment Systems disclosed a massive data breach of its own despite having passed its earlier PCI assessments. "The audits that are used to determine compliance are very much overvalued, and we overvalued our audits," Robert O. Carr, Heartland's chairman and chief executive, said in a 2009 interview with American Banker, a sister publication of PaymentsSource.
Grossman said many companies "only scan at certain times in a quarter so they won't have vulnerabilities pop up in a scan that they can't fix in time to report on the PCI report, for fear it will reflect poorly on them."
James Devoy, a PCI qualified security assessor and the chief security officer and global head of risk and assurance for Sysnet Global Solutions, said PCI quarterly reports are often managed in the ecosystem through software that streamlines the process.
Dublin-based Sysnet, which has a U.S. office in Atlanta, focuses on helping smaller merchants with annual PCI assessments. Smaller organizations are not required to do quarterly in-house testing.
Because the PCI Security Standards Council produces and manages the security standards, it cannot endorse a specific technology to help organizations manage their reporting requirements, Devoy said.
"Producing tools would put them in competition with vendors within the ecosystem and therefore devalue any independence," Devoy added. Rather, PCI maintains high standards for the security assessment process while giving larger organizations flexibility in how they approach management of compliance evidence and their reporting through their QSA, acquirers or card brands.
"Many, if not most of these large organizations have a highly mature internal governance, risk and compliance model to manage not only PCI but also other standards," Devoy said.
Sysnet focuses on the small-merchant sector in which acquirers generally provide quarterly reports to the card brands "from thousands, if not hundreds of thousands of merchants," Devoy added.
Devoy acknowledges that some merchants might just "tick the boxes" to appease acquirers and senior management , but PCI compliance is far more than that in its mission to secure cardholder data.
"Technology and threats will always evolve, which means merchants and service providers must also continuously evolve to protect their systems," Devoy said.
If IT departments say their workload has increased because of PCI requirements, it often means the organization did not have a mature patching, hardening or vulnerability management program in place for its network, Devoy said.
Even though there are technological challenges to completing quarterly tests and reports, it cannot reflect poorly on the overall philosophy behind the PCI standard, Bay Dynamics' Grossman said.
"It's important not to throw the baby out with the bath water," he said. "Everything PCI advocates is important and critical to protecting information, and most of it should be things that people are doing as a matter of routine business."
The key factor is that while it should not be a major task to be compliant, organizations need to consider how to best automate data collection and communicate it to PCI in an accurate manner, Grossman said. "If you can't report on what your landscape looks like, with its gaps and weaknesses, you won't know what needs to be done to address it."