Business security firm Imperva and the Ponemon Institute announced the findings of a survey across more than 500 U.S. and multinational IT security practitioners showing that, despite the Payment Card Industry's Data Security Standard, companies still struggle with data security, putting consumers at continued risk for identity theft. The survey also found that only 28 percent of smaller companies (501-1,000 employees) comply with PCI as opposed to 70 percent of larger companies (75,000 or more employees).
Seventy-one percent of companies surveyed admitted to not making data security a top strategic initiative, and 55 percent admitted to only securing credit card information and not sensitive information such as Social Security numbers, driver's license numbers and bank account details. However, the survey also found that companies taking a strategic approach to PCI compliance have fewer data breaches.
According to the survey, 79 percent have experienced a data breach involving the loss or theft of credit card information and 60 percent of respondents didn't think they had sufficient resources to comply with PCI and bring about a necessary level of cardholder security. Imperva CEO Shlomo Kramer said if businesses protect consumers as required by the PCI DSS standard, there is an incredible opportunity to improve your overall security posture.
The survey found 27 percent of companies believe that PCI-DSS compliance is positively contributing to their organizations' security posture and are taking a strategic approach to compliance. In fact, companies that were fully PCI compliant had fewer breaches than those that were not compliant. However, the majority (73 percent) of respondents achieved PCI compliance using a basic, checklist approach. Imperva CTO Amichai Shulman noted companies devote 35 percent of their IT security budgets to PCI compliance on average, making cost a significant obstacle, especially for smaller companies.
"Security departments are using PCI compliance as leverage to gain more budget, but these resources are not always translating into greater security for sensitive customer data," said Larry Ponemon, chairman and founder of the Ponemon Institute. "The results of our study indicate that while some companies have figured out how to convert PCI standards into an overall security mandate-many more have not."
In a May 2009 study, Avivah Litan, vice president and distinguished analyst with Gartner Research, wrote a report titled "Moving Beyond PCI" in which Litan said the PCI Security Standards and the card brands needed to update the PCI-DSS so that it's risk-based, depending on the system configuration of the complying company. "The -one size fits all' approach of the current standard imposes unreasonable requirements on many companies that have simple networks, or have implemented security technologies that aren't included in the PCI standards, but provide equal or greater levels of protection," Litan noted.