23rd PCI London
26 January 2022, London
Full compliance with PCI DSS is plunging. But does it matter?
Is partial compliance enough? Or does falling compliance reveal a darker truth about cybersecurity in general?
According to Verizon’s latest PSR,
“Fewer and fewer organizations are demonstrating the ability to keep a minimum baseline of security controls in place. In 2019, from the total population of organizations assessed on PCI DSS compliance, only 27.9% of organizations achieved 100% compliance during their interim compliance validation.
This is a further 8.8 percentage-point (pp) drop from the year before, when only 36.7% of organizations demonstrated full compliance…The compliance downturn in 2019 isn’t the result of changes to the PCI DSS requirements.
A marked decrease in sustainability has been noted by the PSR for several years… As before, security testing—Requirement 11—continues to be the requirement that organizations experience the most difficulty with keeping in place.”
PCI DSS version 3.2.1 consists of 12 PCI DSS Key Requirements, 79 base requirements, 252 control requirements, and 440 test procedures. It’s no great surprise then that full compliance proves challenging. So what about less?
The measure of good security is not total compliance with a standard or set of regulations. And there are plenty of critical areas, MiFID 2 for example, where key institutions are very far from complete compliance.
The question then becomes, which parts of the PCI DSS standard are the most important? Where should compliance officers focus their limited resources? Where are the weak points in people’s compliance regimes? Has remote working caused any of the drop in compliance reported? And what kinds of technologies can help plug the gaps?
The Verizon report also goes big picture. It notes that cybersecurity overall continues to be plagued by underinvestment on the one hand and an overly complex solutions ecosystem on the other. Companies cannot be expected to keep up with the pace of digital transformation, the continuous development of new security tools, the vast increase in their attack surfaces and in the sophistication of attackers. They have their own businesses to run and that is hard enough in today’s environment.
Blaming management, as Verizon seems to do, is not the answer. The answer is that the current model of security and compliance is broken.
The security ecosystem, creating as it does security stacks of up to 70 tools, is not fit for purpose. And standards / regulations, by creating more and more complex rules to cope with markets they lag and do not understand, become less and less relevant to the risks they are trying to mitigate.
So is the right answer for PCI DSS simply to look at your own risks and then comply with the parts of the standard that pertain to them?
PCI London will look at how we all need a new kind of compliance and a new kind of security. Join our real-life case studies and in-depth technical sessions from the security and privacy teams at some of the world’s most admired brands.