-
The 20 biggest control gaps
The control gap indicates the number of failed controls divided by the total number of controls expected. This is an averaged figure that provides a measure of how far the assessed organizations were from full compliance. The table below lists the 20 DSS test procedures with the highest control gap in 2020 and changes from 2019 expressed in percentage points (pp).
A reoccurring pattern year after year, Requirement 11 test procedures on penetration testing and security vulnerability scans continue to have the highest control gap.
PCI DSS
control
Control description
2019
Change
2020
1
11.3.3
Examine penetration testing results to verify that noted exploitable vulnerabilities were corrected and that repeated testing confirmed remediation.
27.1%
0.6 pp
27.7%
2
11.2
Run internal and external network vulnerability scans at least quarterly and after any significant change.
33.5%
-9.8 pp
23.7%
3
1.2.1.b
Review internal vulnerability scan reports, and verify that all high-risk vulnerabilities are addressed and that the scan process includes rescans to verify remediation.
23.2%
-2.4 pp
20.8%
4
1.1
Inspect the firewall and router configuration standards and other documentation to verify that standards are complete and implemented.
27.7%
-8.7 pp
19.0%
5
2.4
Maintain an inventory of system components that are in scope for PCI DSS.
24.5%
-6.0 pp
18.5%
6
2.4.a
Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each.
23.2%
-5.9 pp
17.3%
7
6.2
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor patches, and install critical patches within one month.
25.8%
-9.6 pp
16.2%
8
6.2.b
Select a sample of system components and related software, and compare the list of security patches.
26.5%
-11.4 pp
15.1%
9
11.2.1.a
Review internal vulnerability scan reports, and verify that four passing quarterly scans were obtained in the most recent 12 months.
20.6%
-7.9 pp
12.7%
10
3.6
Fully document and implement all key management processes and procedures for cryptographic keys used for encryption of CHD.
12.3%
-0.1 pp
12.2%
11
12.2.b
Review risk-assessment documentation to verify that the risk-assessment process is performed at least annually and upon significant changes to the environment.
14.2%
-2.6 pp
11.6%
12
1.2
Examine firewall and router configurations, and verify that connections are restricted.
14.8%
-3.3 pp
11.5%
13
12.2
Implement a risk-assessment process that is performed at least annually and upon significant changes and which identifies assets, threats and vulnerabilities and results in a formal, documented analysis of risk.
16.8%
-5.2 pp
11.6%
14
5.2
Ensure that all antivirus mechanisms are periodically maintained.
14.2%
-3.2 pp
11.0%
15
2.4.b
Interview personnel to verify the documented inventory is kept current.
15.5%
-4.5 pp
11.0%
16
10.2
Verify logging through interviews of responsible personnel, observation of audit logs and examination of audit log settings.
11.6%
-1.2 pp
10.4%
17
10.7
Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.
11.6%
-1.8 pp
9.8%
18
11.5.a
Verify the use of a change-detection mechanism within the CDE by observing system settings and monitored files, as well as reviewing results from monitoring activities.
16.1%
-6.3 pp
9.8%
19
1.1.6.b
Identify insecure services, protocols and ports allowed; and verify that security features are documented for each service.
7.1%
2.7 pp
9.8%
20
1.1.2.a
Examine diagram(s) and observe network configurations to verify that a current network diagram exists and that it documents all connections to CHD, including wireless networks.
14.2%
-4.4 pp
9.8%
Bottom-20 lists
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
Biggest decreases in control gap
The control gap improved significantly for several controls across Key Requirements 6, 8 and 11. Overall, the average global control gap improved substantially in 2020, from a high 7.7% control gap in 2019 (bad) to a low 4.0% in 2020 (better). The table below lists the top 20 biggest decreases (improvements) in control gap.
PCI DSS
control
Control description
2019
Change
2020
1
6.2.b
Select a sample of system components and related software and compare the list of security patches..
26.5%
-11.4 pp
15.1%
2
12.8.2
Observe written agreements and confirm that they include an acknowledgement by service providers..
14.8%
-11.4 pp
3.4%
3
8.3.1.b
Observe a sample of administrator personnel login to the CDE and verify that at least two of the three authentication methods are used.
13.5%
-11.2 pp
2.3%
4
8.3.1.a
Examine network and/or system configurations, as applicable, to verify that multifactor authentication is required for all nonconsole administrative access into the CDE.
13.5%
-11.2 pp
2.3%
5
11.3.2.a
Examine the scope of work and results from the most recent internal penetration test to verify that testing is performed per defined methodology at least annually and after significant change.
18.7%
-10.0 pp
8.7%
6
11.2
Run internal and external network vulnerability scans at least quarterly and after any significant change.
33.5%
-9.8 pp
23.7%
7
1.1.7.b
Examine documentation relating to rule set reviews and interview responsible personnel to verify that rule sets are reviewed at least every six months.
16.1%
-9.8 pp
6.3%
8
3.4
Render PANs unreadable anywhere they are stored (including on portable digital media, backup media and in logs).
14.8%
-9.6 pp
5.2%
9
6.2
Ensure that all system components and software are protected from known vulnerabilities.
25.8%
-9.6 pp
16.2%
10
8.3
Incorporate multifactor authentication for remote network access originating from outside.
14.2%
-9.6 pp
4.6%
11
11.1
Implement processes to test for the presence of wireless access points; detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
14.2%
-9.0 pp
5.2%
12
8.1.8
For a sample of system components, inspect system configuration settings.
13.5%
-8.9 pp
4.6%
13
11.1.c
If wireless scanning is utilized, examine output from recent wireless scans to verify that authorized and unauthorized wireless access points are identified; scan at least quarterly for all system components and facilities.
12.9%
-8.9 pp
4.0%
14
11.4.c
Examine IDS/IPS configurations and vendor documentation to verify that IDS/IPS devices are configured, maintained and updated per vendor instructions to ensure optimal protection.
12.3%
-8.8 pp
3.5%
15
11.2.2.a
Review output from the four most recent quarters of external vulnerability scans and verify that four occurred in the most recent 12 months.
17.4%
-8.7 pp
8.7%
16
1.1
Inspect the firewall and router configuration standards and other documentation to verify that standards are complete and implemented.
27.7%
-8.7 pp
19.0%
17
5.1.1
Review vendor documentation, and examine antivirus configurations to verify that antivirus programs detect, remove and protect against all known types of malicious software.
11.0%
-8.7 pp
2.3%
18
3.2.2
Examine data sources and verify that the card verification code, value printed on the front or signature panel are not stored after authorization.
11.0%
-8.7 pp
2.3%
19
12.6
Implement a formal security awareness program to make all personnel aware of the importance of CHD security.
13.5%
-8.3 pp
5.2%
20
11.2.2.c
Review the scan reports to verify that the scans were completed by a PCI SSC Approved Scanning Vendor.
13.5%
-8.3 pp
5.2%