Study Shows Businesses Face PCI Challenges

Vendors say tools that are easy to manage and deploy will help businesses achieve and maintain compliance.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

The Sept. 30 deadline set by Visa USA for large enterprises to comply with the Payment Card Industry Data Security Standard is looming. But even with the deadline so close, a study commissioned by EMCs security division found that many businesses are still struggling to make the grade.

The study for RSA Security—performed by Forrester Consulting, which surveyed 677 organizations across the Unite States and Europe—found businesses are facing a number of challenges in achieving compliance. Forty-six percent of respondents admitted having a lack of appropriate access management measures in terms of access control, identity management and physical security. Nearly 40 percent reported a lack of appropriate monitoring and testing, while 36 percent admitted deficiencies in appropriate infrastructure management measures such as firewalls and anti-virus.

"The No. 1 thing we took away from this research is that while companies are, indeed, seeking specific products and services to address PCI DSS compliance, most merchants are looking for more than a handful of point solutions," said Dave Howell, solutions marketing manager at RSA, in Bedford, Mass. "Vendors also have an opportunity to help merchants think beyond PCI. RSA, for example, will help customers understand how the efforts they expend now may be leveraged to improve better security overall.

"In other words," Howell said, "well help customers to move beyond the core issue of PCI DSS compliance and understand how investments may position the organization for long-term security and business enablement."

Chris Smith, vice president of marketing at Houston-based Alert Logic, said vendors need to design tools that are easy to deploy and maintain to help companies become compliant.

"We consistently see IT people struggle to deploy the advanced technology prescribed by PCI—technology like intrusion detection, vulnerability scanning, encryption and audit log collection," he said.

PCI compliance, he said, should be approached as an ongoing process, not a project with a strict beginning and end, and needs to be incorporated into an overall security program to get the level of buy-in and resources that it requires to be successful. The business side of organizations should also work in lock step with the IT side of the house in agreeing that PCI compliance is a business imperative, Smith said.

News from the RSA study wasnt all bad. Seventy-nine percent of respondents employ encryption to protect all credit card data in their environments, and 20 percent use other means to protect or mask credit card data. Only 1 percent reported not masking or protecting credit card data.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.