Mobile // Mobile Applications
12:31 PM
Connect Directly
Repost This

67% Of Companies Fail Credit Card Security Compliance

Payment Card Industry Data Security Standard is seen as a burden by half of security pros, and 59% don't think it helps them become more secure, according to a study from Ponemon.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
The Payment Card Industry Data Security Standard--known as PCI DSS, or just PCI--is meant to safeguard cardholder data. Yet, 67% of PCI-regulated companies are still not in full compliance with the standard.

That key finding comes from a new survey of 670 IT security practitioners conducted by Ponemon Institute and sponsored by data security vendor Imperva.

PCI may have an image problem. According to the study, 50% of security professionals view PCI as a burden, and 59% don't think it helps them improve security. Furthermore, comparing this study with the inaugural one conducted in 2009, the number of respondents who said they had sufficient resources to comply with PCI dropped from 40% to 38%.

In addition, Ponemon also found that the number of organizations that had experienced a data breach in the past two years increased from 79% in 2009 to 85% in 2011. Companies reporting that they'd experienced between two and five data breaches in the past 24 months also jumped from 30% to 41%. Furthermore, 39% of all breaches, the study found, involved cardholder data.

Companies that were not in compliance with PCI experienced more data breaches. For example, while 64% of PCI-compliant companies experienced no data breaches in the past two years, only 38% of non-compliant companies didn't experience a data breach.

Interestingly, the survey found no strong correlation between PCI-related expenditures and compliance levels. "In a somewhat counter-intuitive manner, those organizations [that] suffered no breaches are not necessarily those who spent the biggest budget," said Rob Rachwald, Imperva's director of security strategy, on the company's blog.

Looking at the overall survey results, Rachwald said one takeaway is that "PCI is very effective in reducing breaches but it seems many companies don't believe it."

But why are so many companies allowed to not comply with PCI? That fact lends fuel to a regular criticism of PCI, which is that it's little more than a face-saving exercise for credit card brands. If a company is breached, and credit card data stolen, then the credit card brands can blame the merchant for not complying fully with PCI, even if it passed an audit.

That raises the question: Is PCI worth it? The issue of how and why companies spend money on standards such as PCI is contentious, in part because it begs the question of whether organizations are focused on passing their compliance exam, or on improving security to the point where the company will naturally pass its compliance exam. The latter approach does little to effectively protect cardholder data.

"The number-one thing that scares me isn't the latest attack, or the smartest guy in the street, it's security by compliance, for example with PCI," John P. Pironti, president of risk and information security consulting firm IP Architects, said in an interview. Security by compliance, he said, doesn't do a company any favors, especially because attackers can reverse-engineer the minimum security requirements dictated by a standard to look for holes in a company's defense. In that case, does a little compliance create a false sense of security?

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.