Verizon released the Verizon 2015 PCI Compliance Report on March 12. The 84-page report contains an overview of how ‘compliant’ companies are and the findings compare prior years’ results to current.

Hospitality Upgrade was invited to interview an author of the report. We asked regular contributor Marion Roger, VP Business Development, Hospitality Evolution Resources, to conduct an interview with Franklin Tallah, lead for hospitality for Verizon.

Note: About 20 percent of the companies covered by Verizon’s report were defined as “hospitality” (grouping hotels, online travel companies, airlines and restaurants.)

To help our readers cut to the chase, Roger asked Tallah, to share what he thought were the most important takeaways for our readers. Tallah’s responses are below:

1. During interim investigation assessments, only 12 percent of all the companies included in the study were compliant at the testing phase, meaning 88 percent were non-compliant at testing. Tallah indicated that the “least prepared industry” was the hospitality segment.  Only four percent of hospitality entities were compliant at interim testing level.  He went on to add that restaurants and travel companies (OTAs and airlines, technically part of the hospitality segment studied) actually fared better than hotels. Thus, given the three groups COMBINED scored an average of only four percent passing, one could deduce that hotels were even LESS than four percent compliant at the interim stage.  

He then expanded his comments to note the report found the hospitality industry as the sector that needs a longer remediation period, sharing they often struggled between the interim findings and fixing issues before the final stages. He attributed that in part to the hub and spoke structure of head offices and the portfolio of properties.

Roger asked if he was surprised that despite the increasing maturity of the standard and organizations’ understanding of it, attaining compliance remains far from easy. Tallah opined that although we operate in such a rapidly evolving threat landscape, the 12 requirements are a good starting point and yet so many are not even passing more than a few.

In particular, Tallah noted that of the 12 requirements, that hospitality companies typically passed only two of them in the interim stage: Requirement #1- having a firewall, and Requirement #12 – Maintaining security policies (an infosec environment.)   Of the other requirements (Principles 2 through 11 inclusive) the hospitality industry as a whole failed.

[For those needing a quick “cheat sheet”, the 12 PCI DSS requirements include maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining antivirus software, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems and maintaining security policies.]

2. Of all the data breaches Verizon’s forensics team investigated over the last 10 years, not a single company was found to be compliant with all 12 PCI requirements at the time of the breach. That said, compliance is up on the whole. Between 2013 and 2014, compliance across the entire population studied, rose in every area except testing security systems.

Of the 12 PCI compliance requirements No. 11, Testing Security Systems, was the only requirement that experienced drop off; dropping from 40 percent to 33 percent compliance.

Tallah pointed out that while testing was a challenge for everyone, the 2014 report also uncovered that the hospitality” sector is the one that struggles the most with the internal vulnerability scan phase of testing. This test is monitored as a pass/fail, and the hospitality industry as a whole failed this phase.

3. He wrapped up with some interesting correlation findings related to the principles. The first finding is that on average, breached organizations were 36 percent less likely to be compliant with a given requirement. In particular 45 percent of the breached companies were not compliant on patch management and development security.

Tallah remarked that sadly the study illustrated one can see a clear correlation between those companies that are not fully PCI compliant and the level of risk they face.

There are a variety of angles to take on the report and a lot of detailed data to sift through.  Depending on the sector and role the reader, interpretation leads to either very positive or quite negative news. 

Delve into the report and grasp that as mentioned earlier, only 20 percent of businesses passed their most recent PCI compliance assessments. But remember: while this is better than the 10 percent compliance rate cited in the 2014 report, it’s important to note that of all the breaches reported by Verizon last year, “not a single company has been found to be compliant at the time of the breach,” underscoring the importance of PCI DSS compliance.

Clearly PCI compliance is only a single element of a much broader security and risk management portfolio. As Forrester Research highlighted on March 3 of this year: “If regulations are the beginning and end of your security strategy, you need to rethink your strategy. Compliance-based strategies have narrow controls that are of limited use to the entire enterprise.”

Click here to view the full report.