See how you rank against PCI compliance trends over the years.
Findings From SecurityMetrics' PCI Compliance Customers
Merchants often have a difficult time attaining (or maintaining) PCI compliance for a variety of reasons. Many smaller merchants believe it’s too technical or costly, while others simply don’t believe it’s effective and refuse to comply.
With the help of SecurityMetrics, simplify your PCI compliance and provide your business with enhanced data security.
93.6% of SecurityMetrics customers that started their SAQ have achieved a passing status
20.33 days: Average time to reach PCI DSS compliance
0.98 times: Average number of support incidents before customers became compliant
77.67% percent of SecurityMetrics customers that passed their first scan
8.5 days: Average time from finished first scan to first passing scan
1.57 scans: Average number of times scanned until merchants pass their PCI scan
TOP 10 FAILING SAQ SECTIONS
We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:
Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Requirement 9.9.2: Periodically inspect device surfaces to detect tampering (e.g., addition of card skimmers to devices), or substitution (e.g., by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
Requirement 12.3.1: Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.
Requirement 12.3.3: Verify that the usage policies define all critical devices and personnel authorized to use the devices.
TOP 5 FAILED VULNERABILITIES
TLS VERSION 1.0 PROTOCOL DETECTION
Exists if the remote service accepts connections using TLS 1.0 encryption
SSL SELF-SIGNED CERTIFICATE
Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)
SSL CERTIFICATE WITH WRONG HOSTNAME
Happens when an SSL certificate for the tested service is for a different host
94% of SecurityMetrics customers that started their SAQ have achieved a passing status
25.75 days: Average time to reach PCI DSS compliance
1.4 time: Average number of support incidents before customers became compliant
71% percent of SecurityMetrics customers that passed their first scan
5.2 days: Average time from finished first scan to first passing scan
1.75 scans: Average number of times scanned until merchants pass their PCI scan
TOP 10 FAILING SAQ SECTIONS
We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:
Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Requirement 9.9.2: Periodically inspect device surfaces to detect tampering (e.g., addition of card skimmers to devices), or substitution (e.g., by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
Requirement 12.3.1: Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.
Requirement 12.3.3: Verify that the usage policies define all critical devices and personnel authorized to use the devices.
TOP 5 FAILED VULNERABILITIES
TLS VERSION 1.0 PROTOCOL DETECTION: Exists if the remote service accepts connections using TLS 1.0 encryption
SSL CERTIFICATE WITH WRONG HOSTNAME: Happens when an SSL certificate for the tested service is for a different host
SSL CERTIFICATE CANNOT BE TRUSTED: Happens if the SSL certificate service cannot be trusted
SSL 64-BIT BLOCK SIZE CIPHER SUITES SUPPORTED (SWEET32): Exists if a remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites
SSL SELF-SIGNED CERTIFICATE: Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)
94% of SecurityMetrics customers that started their SAQ have achieved a passing status
17 days: Average time to reach PCI DSS compliance
0.9 times: Average number of support incidents before customers became compliant
Percentage of SecurityMetrics customers that passed their first scan: 74%
Average time from finished first scan to first passing scan: 5.5 days
Average number of times scanned until merchants pass their PCI scan: 1.57 scans
TOP 10 FAILING SAQ SECTIONS
We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:
Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
Requirement 12.3.1: Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.
Requirement 12.3.3: Verify that the usage policies define all critical devices and personnel authorized to use the devices.
TOP 5 FAILED VULNERABILITIES
TLS VERSION 1.0 PROTOCOL DETECTION: Exists if the remote service accepts connections using TLS 1.0 encryption
SSL 64-BIT BLOCK SIZE CIPHER SUITES SUPPORTED (SWEET32): Exists if a remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites
SSL CERTIFICATE WITH WRONG HOSTNAME: Happens when an SSL certificate for the tested service is for a different host
SSL SELF-SIGNED CERTIFICATE: Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)
SSL RC4 CIPHER SUITES SUPPORTED (BAR MITZVAH): Exists when the RC4 encryption algorithm is used in SSL/TLS transmission
72% Percentage of SecurityMetrics customers that passed their first scan
11 days: Average time from finished first scan to first passing scan
1.61 scans: Average number of times scanned until merchants pass their PCI scan
32 days: Average time to reach PCI DSS compliance
1.28 times: Average number of support incidents before customers became compliant
85% of SecurityMetrics customers that started their SAQ have achieved a passing status
TOP 10 FAILING SAQ SECTIONS
We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:
Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
Requirement 12.6.1: Educate personnel upon hire and at least annually.
Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Requirement 9.9.2: Periodically inspect device surfaces to detect tampering (e.g., addition of card skimmers to devices), or substitution (e.g., by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
Requirement 12.3.5: [Verify that the usage policies define] acceptable uses of the technology.
Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
TOP 5 FAILED VULNERABILITIES
TLS version 1.0 protocol detection: Exists if the remote service accepts connections using TLS 1.0 encryption
SSL 64-bit block size cipher suites suppoerted (SWEET32): Exists if a remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites
SSL certification with wrong hostname: Happens when an SSL certificate for the tested service is for a different host
SSL medium strength cipher suites supported: Occurs when a remote host supports the use of SSL ciphers that offer medium strength encryption
SSL self-signed certificate: Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)
.svg)
