RSA2008: PCI Knowledge Base research program
The Payment Card Industry Security Vendor Alliance (PCI SVA) announced the launch of the PCI Knowledge Base, a research program designed to help merchants, assessors, banks, processors and vendors anonymously share PCI knowledge and experience.
According to Visa, the percentage of large merchants that met PCI Data Security Standard (PCI DSS) compliance more than doubled over the last eight months. This spike in compliant companies prompted the PCI SVA, a member organization that offers institutions and card processors products and services to achieve PCI DSS compliance, to create the PCI Knowledge Base.
The PCI Knowledge Base contains over 1,200 best practices, lessons-learned, vendor experiences, PCI assessor experiences, and industry trends, based on more than 75 hours of interviews with merchants, banks, card processors and security vendors.
Some key findings in the PCI Knowledge Base include:
- More than 65 percent of merchants and more than 80 percent of assessors says that PCI compliance choices are driven by the PCI checklist, and not by a risk management analysis, since a perfect score is required to be PCI compliant.
- PCI has caused a major shift in the security priorities of more than 60 percent of companies, to implement data at rest encryption and network segmentation, but away from security management tools, such as security information management.
- More than 40 percent of security managers report that PCI is an excellent standard, because it mandates specific IT controls and helps them justify needed security purchases.
- More than 70 percent of security managers have had substantial additional burdens placed on them by PCI, primarily the requirement to regularly review log files and access controls. In most cases this must be done manually, because there is no requirement or budget to automate the review process.
- More than 75 percent of merchants are focused on achieving “Paper Compliance” – or just getting a “Green ROC” in order to avoid fines, with a minority focused on ongoing or “Operational Compliance.”
- Only about 10 percent of merchants are managing PCI compliance as part of an enterprise compliance plan, but nearly 30 percent of merchants are planning