Imperva and the Ponemon Institute announced the findings of a survey across more than 500 U.S. and multinational IT security practitioners showing that, despite the Payment Card Industry’s (PCI) Data Security Standard (DSS), companies still struggle with data security, putting consumers at continued risk for identity theft.
According to the survey of more than 500 U.S. and multinational IT security practitioners at companies with an average of $5.6 billion in annual revenue:
- 71% of respondents do not treat PCI as a strategic initiative, yet 79 percent have experienced a data breach involving the loss or theft of credit card information
- 55% of respondents focus only on credit card data protection and do not attempt to secure sensitive information such as Social Security numbers, driver’s license numbers, bank account details and other data about people and families
- 60% of respondents don’t think they have sufficient resources to comply with PCI and bring about a necessary level of cardholder security.
However, the survey also found that companies taking a strategic approach to PCI compliance have fewer data breaches. Based on these findings, Imperva is making specific recommendations to consumers, businesses and the PCI DSS Council to improve the safety of consumers’ personal information.
The survey also found that only 28% of smaller companies (501-1000 employees) comply with PCI as opposed to 70% of larger companies (75,000 or more employees).
The PCI DSS standard has the potential to make a powerful impact to corporate IT security initiatives. The survey shows that 27% of companies believe that PCI-DSS compliance is positively contributing to their organizations’ security posture and are taking a strategic approach to compliance. In fact, companies that were fully PCI compliant had fewer breaches than those that were not compliant. However, the majority (73%) of respondents have achieved PCI compliance using a basic, checklist approach.
Imperva’s recommendations to consumers, businesses and the PCI DSS Council
For PCI-DSS Council:
- Have a compliance logo for consumers. Today, companies can’t articulate their security efforts to consumers, and consumers are not aware of the compliance status of the retailers they do business with. As a consequence, companies cannot leverage their investment in PCI compliance to gain competitive advantage
- Modify compliance needs for larger and smaller companies. Smaller companies need to have a modified standard that takes into account different environments and security needs.
- Look for PCI compliant companies—In general, companies that were compliant suffered fewer breaches. Although compliance doesn’t guarantee perfect security, it helps the odds.
- Use PCI to bring about a broader, more effective security program
- Use PCI as a way to get senior management aware of and involved in IT security
- Assign a clear champion who owns and drives PCI as well as security that is strongly empowered to direct numerous teams for support.