The 2023 SecurityMetrics Guide to PCI DSS Compliance Has Launched

In the face of current cybersecurity challenges, PCI DSS compliance is more important for merchants than ever. The Payment Card Industry Data Security Standard was established in 2006 to help merchants protect payment data. Compliance with the PCI DSS is an industry requirement for any company that accepts major credit cards and can help them develop their own robust security program.

Some organizations may feel overwhelmed by or frustrated with PCI compliance. It can be helpful to remember that the Payment Card Industry Data Security Standard was created to help businesses. The majority of SMBs that experience a data breach will go out of business and even large corporations struggle to stay open after the financial and social impact of a data breach.

After experiencing a security breach in his first business, Brad Caldwell (CEO) founded SecurityMetrics in 2000. We understand the challenges that SMBs face when trying to stay PCI compliant and the importance of PCI compliance in keeping organizations safe. One of Brad’s core objectives when founding SecurityMetrics was to provide tools and services that are accessible to small-to-medium businesses (SMBs).

That’s why we created the eighth edition of our free PCI guide. Every year, SecurityMetrics’ teams collaborate to update and release the Guide to PCI DSS Compliance in accordance with this goal.

The SecurityMetrics Guide to PCI DSS Compliance

The PCI Guide includes interactive and printable IT checklists for every requirement, stories and tips from our security analysts (QSAs), and forensic data breach research data, as well as the latest updates on PCI DSS compliance. It is meant to be a tool in the arsenal of a CISO, IT manager, security officer, or anyone involved in security and compliance.

Audit Director, Matt Halbleib (CISSP, CISA, QSA), said "We publish our guide to give businesses of all sizes a tool to understand and organize their PCI compliance efforts. Maintaining PCI compliance in an environment-specific way helps businesses protect their data, detect breaches, and keep cybercriminals off their network."

The 2023 PCI DSS Guide has been updated to include:

• Insight into what to expect for PCI DSS 4.0
• 2023 forensic data breach predictions
• Tips for applying the PCI DSS in a cloud environment
• Information on e-commerce attacks including iFrame hacks
• How to set up a PCI-compliant remote workforce setup
• Interactive IT checklists for each requirement
• Brand new PCI compliance trends and customer data
• Tips and experiences from PCI Auditors (QSAs)

"Businesses who utilize the Guide to PCI DSS Compliance can better organize their compliance efforts and understand the way PCI compliance requirements affect cybersecurity. On top of that, the PCI Guide is a great training tool when assigning new resources to your PCI compliance effort,” said SecurityMetrics VP of Assessments Gary Glover (CISSP, CISA, QSA).

PANscan Data:

Since 2010, SecurityMetrics PANscan® has discovered over 3 billion unencrypted primary account numbers (PAN) on business networks. Storage of unencrypted payment card data increases your organization's risk and liability in the event of a data breach. This infographic examines user results of PANscan from 2022 and compares it to previous years.

2022 STATISTICS

• 85.6% of PANscan® users discovered unencrypted PAN data
• 5% store track data (data inside magnetic stripe)
• Over 3,715,741 PANs were found

Shopping Cart Inspect Data:

TRENDS FROM 2022 SECURITYMETRICS SHOPPING CART INSPECT INVESTIGATIONS

• 92.4% of Shopping Cart Inspect reviews identified malicious, suspicious, and/or concerning issues on researched ecommerce sites.
• 7.4% of inspected ecommerce sites had malicious issues.
• 80.2% of inspected ecommerce sites had suspicious issues.
• 53.5% of inspected ecommerce sites had concerning issues.
• 2.44 issues: Average number of issues identified in a Shopping Cart Inspect review.
• 3.70% of issues discovered were malicious; 68.26% of issues discovered were suspicious; 28.04% of issues discovered were concerning.

PCI Compliance Data:

2022 SECURITYMETRICS CUSTOMER TRENDS

• 99.5% of SecurityMetrics customers that started their SAQ have achieved a passing status
• 21 days: Average time to reach PCI DSS compliance
• 0.98 times: Average number of support incidents before customers became compliant
• 79.19% percent of SecurityMetrics customers that passed their first scan
• 11 days: Average time from finished first scan to first passing scan
• 1.4 scans: Average number of times scanned until merchants pass their PCI scan

Top10 Failing SAQ Sections

We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:

1. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
2. Requirement 12.10.1: Create an incident response plan to be implemented in the event of a system breach.
3. Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
4. Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
5. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
6. Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
7. Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
8. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
9. Requirement 12.8.2: Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data that they possess or impact the security of the cardholder data environment.
10. Requirement 12.8.3: Verify that the usage policies define all critical devices and personnel authorized to use the devices.

Top 5 Failed Vulnerabilities

1. TLS VERSION 1.1 PROTOCOL DETECTION

Exists if the remote service accepts connections using TLS 1.1 encryption

2. TLS VERSION 1.0 PROTOCOL DETECTION

Exists if the remote service accepts connections using TLS 1.0 encryption

3. SSL SELF-SIGNED CERTIFICATE

Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)

4. TLS VERSION 1.1 PROTOCOL DEPRECATED

5. SSL 64-BIT BLOCK SIZE CIPHER SUITES SUPPORTED (SWEET32)
Exists if a remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites

PCI DSS Compliance as a framework for organizational security

The PCI DSS is a security standard that can provide an organized and comprehensive framework for any environment. It includes specific SAQs, based on variables like the way companies take payment information. These SAQs cover which specific places businesses need to look to start their data security programs and can save companies time and money.

Download a copy of the SecurityMetrics Guide to PCI DSS Compliance here to get started.

See what PCI Guide users have to say

“I needed quick and straightforward guidance on how the PCI DSS requirements apply to software development. I was able to quickly find what I needed written in a way that was both quickly digestible and highly understandable. This resolved the concerns we had and reinforced the importance of the standardization of process controls we are putting in place.”

‍

“This is a fantastic guide for merchants on any level to work towards becoming PCI compliant, it also serves as a great resource to train future hires!”

“Excellent guide to PCI compliance which provides a manageable template to develop internal policies and procedures.”

“The Security Metrics Guide was very comprehensive and definitely extremely useful. I especially benefited from the IT checklist guide.”

“...SecurityMetrics Guide to PCI DSS Compliance is a one-stop guide to ensuring your organization is PCI DSS compliant. This is the best comprehensive guide I've found.”

“Made us aware of a lot of details concerning our security... also our service provider responsibilities, which we were not aware of. Provided us with valuable tips for firewalls and explained a lot of terminology that was unknown before PCI DSS.”