2019 PCI Compliance Trends
2019 PCI COMPLIANCE TRENDS
HOW DOES YOUR ORGANIZATION RANK?
2018 SECURITYMETRICS CUSTOMER TRENDS
- 72% Percentage of SecurityMetrics customers that passed their first scan
- 11 days: Average time from finished first scan to first passing scan
- 1.61 scans: Average number of times scanned until merchants pass their PCI scan
- 32 days: Average time to reach PCI DSS compliance
- 1.28 times: Average number of support incidents before customers became compliant
- 85% of SecurityMetrics customers that started their SAQ have achieved a passing status
TOP 10 FAILING SAQ SECTIONS
We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:
- Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
- Requirement 12.6.1: Educate personnel upon hire and at least annually.
- Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
- Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
- Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
- Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
- Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
- Requirement 9.9.2: Periodically inspect device surfaces to detect tampering (e.g., addition of card skimmers to devices), or substitution (e.g., by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
- Requirement 12.3.5: [Verify that the usage policies define] acceptable uses of the technology.
- Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
TOP 5 FAILED VULNERABILITIES
- TLS version 1.0 protocol detection: Exists if the remote service accepts connections using TLS 1.0 encryption
- SSL 64-bit block size cipher suites suppoerted (SWEET32): Exists if a remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites
- SSL certification with wrong hostname: Happens when an SSL certificate for the tested service is for a different host
- SSL medium strength cipher suites supported: Occurs when a remote host supports the use of SSL ciphers that offer medium strength encryption
- SSL self-signed certificate: Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)