Tripwire announced the results of research on risk-based security management in the retail industry, and the news isn’t good: the majority of the retail sector is yet to implement to the new PCI standards.
The survey, conducted in April 2013 with the Ponemon Institute, evaluates the attitudes of 1,320 respondents from IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management. One hundred sixty-two retail sector respondents from the U.S. and U.K. participated in the retail portion of the survey.
The most recent version of the Payment Card Industry Data Security Standard (PCI DSS 3.0) will soon require businesses to implement and perform penetration testing. In addition, PCI DSS 3.0 will also clarify different methods of secure authentication and session management so businesses can better protect themselves against man-in-the-middle, man-in-the-browser and other similar cyber attack methods.
However, the study revealed that the retail industry hasn’t yet implemented these new security requirements.
Key findings include:
- Only 41 percent of the retail sector uses penetration testing to identify security risks.
- Only 34 percent of the retail sector measures the reduction in access and authentication violations to assess risk management efforts.
- Only 44 percent of the retail sector has fully or partially deployed file integrity monitoring.
- 62 percent of IT professionals in the retail sector say that negative facts about security risks are filtered before being communicated with senior executives.
For more information about this survey, go here.