Share
The results from a survey of 500 multinational and U.S. IT security experts, conducted by Imperva and the Ponemon Institute, says that despite PCI-DSS requirements, businesses are still having problems protecting sensitive information. The issue is particularly prevalent in small to medium sized businesses.
Businesses still struggling to protect credit data.(IMG:J.Anderson)
Of those who took part in the survey, 71-percent admitted to not making data security a top strategic initiative, and 55-percent said they only secure credit card information, and not sensitive information such as Social Security numbers, driver’s license numbers, and bank account details.
Overall, 79-percent of those included in the survey results said they have experienced a security breach that resulted in the loss of outright theft of credit card information. Another interesting item of note is that 60-percent of those in the survey reported that they didn’t think they had sufficient resources to comply with PCI.
There is a stark contrast when it comes to PCI compliance and the size of the business. The survey found that only 28-percent of smaller companies (501-1000 employees) comply with PCI, as opposed to 70-percent of larger companies (75,000 or more employees).
PCI-DSS was created to provide a set of security guidelines to all businesses that handle credit card information, enabling them to protect consumer information. Since it was enacted in June 2005, the number of data breaches and amount of credit card fraud has continued to rise. Fraud involving credit and debit cards reached $22 billion in 2008, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research.
The survey shows that 27-percent of companies believe that PCI-DSS compliance is positively contributing to their organization's security posture and are taking a strategic approach to compliance. In fact, companies that were fully PCI compliant had fewer breaches than those that were not compliant. However, the majority (73-percent) have achieved PCI compliance using a basic checklist approach, which is a problem.
“The PCI Security Standards and the card brands must update the PCI-DSS so that it’s risk-based, depending on the system configuration of the complying company. The ‘one size fits all’ approach of the current standard imposes unreasonable requirements on many companies that have simple networks, or have implemented security technologies that aren’t included in the PCI standards, but provide equal or greater levels of protection,” said Avivah Litan, Vice President and Distinguished Analyst with Gartner Research.
Adding to Litan’s comments, Amichai Shulman, Imperva’s CTO, said that, “Companies devote 35-percent of their IT security budgets to PCI compliance on average, making cost a significant obstacle, especially for smaller companies. This is why Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs.”
The deadline to change things in the PCI-DSS standards is October 31, 2009. More information is here.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story