By now, most of you have either read or are aware that Verizon released it’s 2010 Data Breach Investigations Report. It details the specifics on data breaches and how effective (or ineffective) the the controls are that are being used as countermeasures at organizations that have suffered a breach. This report slices and dices the data about any which way you can think of and consequently it’s very enlightening. It calls into question many of the traditional controls that security administrators have used for years and makes one wonder whether or not they actually help at all. If you have a few minutes, I encourage you to read it. It can be found here:
However, that is not why I wrote this article as that has been well documented already. What people might not be aware of is that Verizon also recently released a companion report Verizon 2010 Payment Card Industry Compliance Report. In this report, Verizon has compiled data surrounding their PCI clients and broken the research down into subcategories and the specifics of the PCI DSS. As far as I know, this is the first large scale effort at compiling PCI data detailing what customers are doing effectively, what they are not, and then correlating that against actual breaches.
For those of you that have worked with PCI for any period of time, you are well aware of the debate that rages on as to whether or not the DSS actually makes organizations more secure. Rather than delve into that argument, I’d prefer to highlight what the data from the report suggests. According to the report, organizations that suffered a breach were 50% less likely to be compliant than a normal population of PCI clients (clients that are moving towards compliance but have not yet been validated as compliant). So while the data suggest that organizations that have been validated as PCI compliant are less likely to suffer a breach, some still do get breached. So, does this mean that PCI works, or doesn’t work? I’d be interested in hearing your opinions on that. Feel free to leave comments with any thoughts you may have.
If you are interested in reading the report in it’s entirety it can be downloaded here: