PCI-DSS Compliance Helps Prevent Data Breaches Despite IT Doubts: Survey

IT professionals remain skeptical that regulatory compliance can improve data security, but PCI-DSS-compliant organizations experience fewer breaches, according to the Ponemon Institute.

PCI-compliant organizations suffered fewer or no data breaches in 2009 and 2010 compared to previous years, according to the latest Ponemon Institute report. Even so, organizations still do not believe that implementing PCI-DSS made them more secure.

More than half, or 64 percent, of PCI-DSS compliant organizations reported suffering no data breaches involving credit card data over the past two years, according to the latest 2011 PCI DSS Compliance Trends Study released April 19. In comparison, only 38 percent of organizations which were not PCI-DSS compliant reported no breaches in 2009 and 2010.

The trend carried over to data breaches not limited to credit card theft, as well. About the same number, or 63 percent, of compliant organizations did not experience more than one incident over the same time period, compared to 22 percent of non-compliant companies. The report also found that 26 percent of non-compliant organizations reported more than five breaches over the same two years.

"Most companies who make an effort to comply with the standards are likely to suffer fewer breaches than those who don't, period," said Amichai Shulman, co-founder and CTO of Imperva.

In a survey of 670 United States and multinational IT security practitioners, the Ponemon Institute examined how efforts to comply with the PCI-DSS standard affected an organization's security. The report found that 88 percent of surveyed security professionals did not agree that the PCI regulations had any impact on the number of data breaches affecting the company. A little more than one-third, or 39 percent, of the respondents considered improved data security as one of the benefits of being PCI-compliant.

Even more telling, only 33 percent of the respondents said that the costs of PCI-DSS compliance was worth the value it brought to the organization. Companies don't appear to have an accurate perception of the value of regulatory compliance, especially considering the March report that pegged the average cost of data breaches at $214 per compromised record, according to Larry Ponemon, chairman and co-founder of the Ponemon Institute.

Despite being cynical of the benefits, two-thirds of the survey participants reported "substantial compliance" with PCI-DSS and only 16 percent said they are not compliant at all. Only half the respondents reported the same level of compliance while 25 percent hadn't adopted the standards in the 2009 report.

PCI and the accompanying PA-DSS compliance regulations require all businesses that accept debit and credit card information to implement certain safeguards to secure consumer data. Businesses who don't comply can be forced to shut down. Unlike HIPAA and other regulations, PCI is entirely industry-enforced.

The Ponemon report seems to corroborate a similar finding in the 2011 Data Breach Investigations Report released on the same day by Verizon Business, which found cyber-criminals were stealing less credit card information. While there were 760 data breaches in 2010, the number of compromised records plunged, according to Verizon.

The Verizon report found that cyber-criminals were targeting smaller organizations because they are less likely to have implemented basic security measures, or to have done so incorrectly.

Verizon's report also noted that stolen credit card information were not as valuable on the black market as they have been in previous years, because there's a glut of stolen consumer data. Most credit card numbers stolen in 2010 were likely sudden opportunistic attacks to make some quick cash, Verizon said.