Think PCI is not beneficial? Think again

In the wake of massive data breaches of payment card information in the past few years, the topic of PCI compliance and its adoption has been top of mind in any organization concerned about suffering a similar fate.

Cisco unveiled the results of a survey of 500 information technology decision-makers to uncover and qualify current sentiment on PCI DSS five years after the standard emerged. The survey included IT decision-makers involved in their organizations’ PCI-compliance programs from the education, financial services, government, health care and retail industries.

Think PCI is not beneficial? Think again.

• Seventy percent of survey respondents feel that their organization is more secure than it would be if PCI compliance were not required.
• Of the survey respondents, 87 percent believe that the PCI requirements are necessary for protecting cardholder data.
• Among verticals, respondents from retail felt as comfortable in their likelihood to pass an assessment of their PCI compliance as did financial services respondents, showing that the retail industry has made great strides in adoption and implementation efforts.
• Sixty-seven percent of respondents anticipate that their spending on PCI compliance will increase in the next year, indicating positive executive and board buy-in for this important initiative.
• In addition, 60 percent of respondents suggested that PCI-compliance projects can drive other network or network security projects.

Top challenges of PCI DSS requirements

When asked to define specific challenges for implementing the PCI DSS requirements, educating employees on the proper handling of cardholder data was the single most highly recognized problem that organizations identified, with 43 percent of respondents suggesting this is an issue. Updating antiquated systems was named by 32 percent of respondents.

Respondents feel that of the 12 PCI requirements, tracking and monitoring all access to network resources and cardholder data (37 percent), developing and maintaining secure systems and applications (32 percent), and protecting stored cardholder data (30 percent) cause the most issues for achieving or maintaining compliance.

Adherence to the PCI DSS

Government fares better than other sectors on PCI assessments, but the vast majority of respondents are making strides in protecting their sensitive cardholder data.

• Eighty-five percent believe they would pass an assessment at the current time, and 78 percent passed their previous initial assessment.
• Surprisingly, government respondents fared better than all other sectors analyzed, with 85 percent passing their initial assessment. Health care organizations unfortunately fared the worst, with a 72 percent pass rate at the time of assessment.
• More than 85 percent of respondents were aware of the clarifications and recommendations associated with the newly announced PCI DSS 2.0 standards.

The Cisco study is available here.