Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« ABN Amro PII Breached Through P2P: Lessons Learned | Main | Know How To Motivate Your Personnel To Protect Information »

Lack of testing, lack of built-in security, and inadequate protection for stored data lead list of PCI noncompliance items

I figured that since the PCI DSS compliance deadline for Level 1 merchants was this past Sunday that there would probably be a ton of published news reports about it on Monday. There were...and today as well! One that caught my eye was in eWeek on Monday, "Comparison Shows Very Little Shift in PCI Failures."

Basically the story compared the top 10 PCI DSS compliance failures Verisign had found last year compared to this year. Why didn't they create a table showing this? Well, I guess they assume you'll submit your contact information at the Verisign site to get to it within their September 17 report, but it does not have a table showing the year to year comparisons. In fact, I could not find all the numbers for each year that the eWeek report listed. I couldn't reconcile the information in the eWeek report with the information in the Verisign report...dang it!


I wanted to put what I could find into a rudimentary table format for you, but I can't get my darn blog site capabilities to cooperate with me! UGH! This has been a trying day on top of so many other things...yes, some other blog topics to cover when I have a less frustration-skewed view of them...


Top 10 PCI DSS Compliance Failures


79% of noncompliance in 2006: Req 3: Protect stored data. This is now #3

74% of noncompliance in 2006: Req 11: Regularly test security systems & processes. This is now #1

71% of noncompliance in 2006: Req 8: Assign a unique ID to each person with computer access. This is now #?

71% of noncompliance in 2006: Req 10: Track and monitor all access to network resources and cardholder data. This is now #?

66% of noncompliance in 2006: Req 1: Install and maintain a firewall configuration to protect data. This is now #?

62% of noncompliance in 2006: Req 2: Do not use vendor-supplied defaults for system passwords and other security parameters. This is now #?

60% of noncompliance in 2006: Req 12: Maintain a policy that addresses information security. This is now #?

59% of noncompliance in 2006: Req 9: Restrict physical access to cardholder data. This is now #?

56% of noncompliance in 2006: Req 6: Develop and maintain secure systems and applications. This is now #2

45% of noncompliance in 2006: Req 4: Encrypt transmission of cardholder data and sensitive information across public networks. This is now #?

I'm somewhat surprised at encryption being failed only 45% of the time. Most of the many, many privacy breaches were a result of data not being encrypted. If the trend is showing that more organizations are encrypting personally identifiable information (PII), then that is a good sign! However, until all mobile PII is encrypted we'll continue to see a large number of privacy breaches.

The lack of testing and lack of building security into applications is also something that doesn't surprise me, but is disappointing. Building security in and then testing to ensure it works securely could prevent so many privacy breaches.

Tags:                  
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 2, 2007 8:13 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/534

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.