Important lessons from the SecurityMetrics 2018 Guide to PCI DSS Compliance. 

Our 2018 PCI Guide is out and already helping businesses understand the Payment Card Industry Data Security Standard (PCI DSS) and simplify their own compliance journeys.

Merchants use our PCI Guide both as a desk-side PCI reference and as a tool to direct and track their organizations’ internal PCI compliance efforts. But, there’s also another side to the Guide. Our ultimate goal is to help you secure data and protect your business, so we’ve included highlights from our own research in the Guide to give you a clearer picture of how compliance and security work together.

Download the SecurityMetrics 2018 PCI Guide here.

This post will cover some of the most important takeaways from our Guide, so you can apply these lessons to the everyday operations of your business.

Forensic Data from 2017 Investigations

Our PCI Forensic investigators (PFIs) have been helping businesses analyze and recover from suspected data breaches for over 15 years. In the process, they’ve witnessed the rise and fall of popular cyber-attack trends as well as collected a trove of useful forensic data that can be used to inform your data security implementations.

What we found regarding the average breached merchant:

  • The average organization was vulnerable for 1,549 days. 

  • Cardholder data was captured for an average of 237 days. 

  • Cardholder data was exfiltrated for an average of 264 days. 

  • 45% of organizations were breached through insecure remote access. 

  • 39% of organizations had memory-scraping malware installed on their system. 

WEBINAR: Lessons Learned from 2017 Forensic Investigations

In general, we see that these trends stem directly from non-compliance with the PCI DSS.

Most organizations will experience system attacks from a variety of sources, and some of these attacks will result in data breaches. Some breaches are due to system or technology weakness, others to internal security process failures (e.g., ignoring patches and updates). Whatever the source of the attack or the ultimate reason for compromise, we’ve found a strong correlation between non-compliance and data breaches.

The PCI DSS is specifically designed to protect merchants and organizations that deal with payment card data and associated sensitive information. Following its requirements exactly will greatly diminish the chances of a successful cyber-attack on your systems.

Our Forensic Investigators track which PCI requirements organizations are—or are not—compliant with at the time of a data breach.

Our PFIs also record whether non-compliance with these requirements directly contributed to the data breach.

You can see that non-compliance with requirements like 10 (logging), 11 (vulnerability scans), and 12 (policy/procedures documentation) frequently contributed to the data breaches themselves.

Further, if there is a successful attack, shrinking the window of compromise will go a long way to lessen the damage a data breach can cause. The longer attackers have access to your data without you knowing, the more they can take and the more profit they stand to make.

Takeaway: You can shrink the window of compromise by properly implementing security measures like PCI requirement 10, “Implement Logging and Log Management,” or PCI requirement 7, “Restrict Access.”

Download our 2017 Forensic Data Breach Trends Infographic here.

Top 10 failing self-assessment questionnaire (SAQ) sections

We scanned our merchant database in search of the top 10 areas where SecurityMetrics merchants struggle to become compliant. Starting with the least adopted requirement, these are the results:

  • Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
  • Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
  • Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
  • Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
  • Requirement 12.6: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
  • Requirement 9.9.2.b: Verify that personnel are aware of procedures for inspecting devices and that devices are periodically inspected for evidence of tampering.
  • Requirement 9.9.2.a: Verify that documented processes include procedures for inspecting devices and frequency of inspections.
  • Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
  • Requirement 1.2.1: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
  • Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.

2017 showed significant decreases in compliance levels when compared to previous years. None of the investigated breached merchants in 2017 were found to be compliant with PCI DSS. In nearly every case, the vulnerabilities that attackers leveraged to gain access to merchant systems were covered by specific sections of the PCI DSS.

Takeaway: In other words, had the organization been compliant with those sections of the PCI DSS, the breach likely would not have occurred.

Download our 2017 PANscan Results Infographic here. 

Vulnerability scan results

External vulnerability scans performed by a PCI Approved Scanning Vendor (ASV) are just one tool in validating PCI compliance. But, the results can also provide valuable insight into common weak spots you should pay special attention.

These are the top 5 areas SecurityMetrics customers failed in vulnerability scans, and one can surmise that these trends extend to businesses who are both currently and not currently working on their security:

  • TLS Version 1.0 Protocol Detection
  • SSL Medium Strength Cipher Suites Supported
  • SSL 64-bit Block Size Cipher Suites Supported (Sweet32)
  • SSL Certificate with Wrong Hostname
  • SSL Self-Signed Certificate

Takeaway: If you haven't already, make sure your cryptographic protocols are in line with the latest PCI Council guidance.

Your PCI compliance journey

When planning and designing your organization’s compliance journey, it helps to understand the bigger picture. PCI DSS requirements were not designed arbitrarily but rather, specifically, to help you avoid data breaches and mitigate their effects if they do happen.

The Security Metrics 2018 Guide to PCI DSS Compliance is a powerful tool for understanding and appreciating the connection between compliance and security.

Let us know what you think about the guide! Email us at with your feedback.

Interested in a PCI Audit, HIPAA Audit, or our other security services? Contact us here.