Many MSPs offer vulnerability scanning services to help customers meet their Payment Card Industry (PCI) Data Security Standard duties. A newly released Verizon report suggests they may need to do more than run occasional checks. About one fifth of organizations studied were fully PCI compliant at the time of their Initial Report on Compliance, according to Verizon’s 2011 Payment Card Industry Compliance Report. But where do we go from here -- especially if you're a managed services provider (MSP) focused on corporate compliance issues?
First, let's look at the data: Roughly 21 percent of the customers in Verizon’s study hit the compliance mark, while 79 percent were off target. The numbers are significant as PCI impacts a wide range of companies and government entities. PCI security measures apply to any organization that handles credit card data. The PCI Security Standards Council manages the security standard, which is currently on version 2.0.
In producing the report, Verizon relied on its own experience conducting PCI assessments for customers. The company employs a group of Qualified Security Assessors to work the PCI compliance front. The PCI Security Standards Council certifies companies as Qualified Security Assessors.
Key FindingsVerizon discovered that enterprises that previously achieved PCI compliance, as well as PCI newcomers, failed to meet the standard.
“Many organizations have a hard time sustaining the efforts required to be compliant year after year,” the report noted.
Where are they falling down? The Verizon report points to several areas: protecting stored cardholder data, tracking and monitoring access, regularly testing systems and processes, and maintaining security policies.
As for regular testing, PCI calls for quarterly vulnerability scanning among other tests. The apparent scanning shortfall is somewhat surprising, given that MSPs often focus their managed PCI security services precisely in that area. The problem, however, doesn’t appear to be lack of available scanning sources. According to Verizon, organizations trip up on the number of scans they are asked to perform.
“Time and resource constraints” became obstacles for some entities in Verizon’s sample, according to the report.
The other issues noted above suggest a few service lines MSPs might consider for expanding their PCI practices. For example, the task of tracking and monitoring network access calls for customers to maintain system logs. Some service providers already stand prepared to take on the log-minding function.
Perimeter E-Security, a security as a service provider, recently unveiled a Software-as-a-Service-based log management solution. MSPs can also partner to provide log management. Alert Logic, for instance, offers its SaaS-based Log Manager to MSPs and VARs.
The apparent gap in maintaining security policies, meanwhile, suggests a need for some foundational security advice as well as the more technology-driven security services. Helping customers craft security policies is quite a move upstream. It might make sense to team up with a security consultant or two.
The Verizon report offers a reminder that security -- PCI or otherwise -- shouldn’t be episodic. The job calls for a continuous cycle of vulnerability assessment, remediation, and re-checking. Within that regimen, MSPs may well find opportunities to expand their current role with customers.