While the majority of PCI compliant organizations suffer fewer or no breaches, most practitioners still do not perceive PCI-DSS to have a positive impact on data security, according to a study by Imperva and the Ponemon Institute.
Compliant organizations suffer fewer breaches
According to the study, 64 percent of PCI-DSS compliant organizations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of non-compliant organizations reported suffering no breaches involving credit card data over the same period.
When it comes to overall data breaches (general incident or those involving credit card data), 63 percent of compliant organizations suffered no more than a single data breach, compared to 22 percent of non-compliant organizations. Notably, 26 percent of non-compliant organizations suffered more than five breaches over the same time period.
PCI-DSS perception is cynical
Despite evidence to the contrary, the study also found that 88 percent of respondents did not support the claim that PCI-DSS compliance has a positive effect on the number of breaches experienced, and only 39 percent mentioned data security improvement as one of the regulation’s value propositions for business. In fact, only 33 percent believe that PCI-DSS compliance expenditure is covered by the value it brings to organization.
“Looking at the figures regarding the actual decrease in data breaches and recent figures regarding the cost of data breaches, it seems that many practitioners have a much subverted perception of the value of PCI-DSS compliance,” said Larry Ponemon, chairman and co-founder of the Ponemon Institute.
Nonetheless compliance is increasing
This year’s report also found that two-thirds of respondents have achieved substantial compliance with PCI-DSS. In the 2009 PCI DSS Compliance Trends Study, the number of respondents who’d achieved similar levels of compliance was only half, and roughly 25 percent of respondents in 2009 had not achieved any level of compliance. Only 16 percent of organizations surveyed in 2011 have not achieved any level of PCI-DSS by comparison.
For a full version of the 2011 PCI-DSS Compliance Trends Study, go here (registration required).