A couple of days ago I pointed to the new Verizon Payment Card Industry Compliance Report (PDF available at http://www.verizonbusiness.com//resources/reports/rp_2010-payment-card-industry-compliance-report_en_xg.pdf).
I have read and digested it, I have also read and been unable to digest (or even keep down) some of the “supporting” information.
Short version- it is a first try, and it has useful data- data you will not find elsewhere. Some of that data and accompanying analysis can help organizations battling PCI compliance, and those who audit/assess or consult organizations attempting to comply with PCI-DSS.
There is, unfortunately, some complete crap surrounding the data, some of the report was apparently written by myopic PCI cheerleaders. A lack of overall understanding of the security landscape, and the occasional straw man may make you want to stop reading before you get far- but don’t give up, there is much more good than bad, just keep your reality distortion shields up and you will learn from the report. You can also learn from the mistakes of others, which is not as visceral as learning from your own mistakes but is much less painful.
Some things really jump out at you- like the 78% non-compliance rate at the initial assessment. At the time of the initial assessment over 50% of organizations were not compliant with 8 of the 12 requirement areas. Requirement 11, regular testing of security systems and processes came in dead last in initial compliance.
The report states that the 22% that were found compliant at the initial assessment were mostly experienced at PCI-DSS, but many that had been found complaint previously were deficient in the subsequent assessments included in this report. It would be great to know how many of the formerly complaint were assessed by Verizon previously as opposed to how many were assessed by other QSA firms- and how the compared. Not holding my breath for those stats, but they would be telling. The lack of quality assurance in the QSA space is one of the things I have railed about in the past, this data could really help the PCI council address some of these problems (if they had any interest in doing so).
It will be interesting to see what conversations come from this report.
Jack