71 Percent of Companies Don't Treat Data Security as Top Priority
Despite the Payment Card Industry's Data Security Standard (DSS), companies still struggle with data security, putting consumers at continued risk for identity theft. According to a recent survey from Imperva and the Ponemon Institute, 71% of companies surveyed admit to not making data security a top strategic initiative, and 55% admit to only securing credit card information and not sensitive information such as Social Security numbers, driver's license numbers, and bank account details.
The survey also found that companies taking a strategic approach to PCI compliance have fewer data breaches. Based on these findings, Imperva is making specific recommendations to businesses to improve the safety of consumers' personal information.
The PCI DSS standard was put into effect to provide security guidelines to all businesses that handle credit card information to better protect consumers. Since it was enacted in June 2005, the number of data breaches and amount of credit card fraud has continued to rise.
According to the survey of more than 500 U.S. and multinational IT security practitioners at companies with an average of $5.6 billion in annual revenue:
- 71% of respondents do not treat PCI as a strategic initiative, yet 79 percent have experienced a data breach involving the loss or theft of credit card information.
- 55% of respondents focus only on credit card data protection and do not attempt to secure sensitive information such as Social Security numbers, driver's license numbers, bank account details and other data about people and families.
- 60% of respondents don't think they have sufficient resources to comply with PCI and bring about a necessary level of cardholder security.
Smaller Businesses Struggle the Most
The survey found that only 28% of smaller companies (501-1000 employees) comply with PCI as opposed to 70% of larger companies (75,000 or more employees).
"The PCI Security Standards and the card brands must update the PCI-DSS so that it's risk-based, depending on the system configuration of the complying company. The 'one size fits all' approach of the current standard imposes unreasonable requirements on many companies that have simple networks, or have implemented security technologies that aren't included in the PCI standards, but provide equal or greater levels of protection," said Avivah Litan, Vice President and Analyst with Gartner Research in a May 2009 report, ââ€å¡Â¬Ã€¦â‚¬å“Moving Beyond PCI at Visa's Global Security Summit."
Companies that take a strategic approach to PCI compliance have fewer data breaches
The PCI DSS standard has the potential to make a powerful impact to corporate IT security initiatives. The survey shows that 27% of companies believe that PCI-DSS compliance is positively contributing to their organizations' security posture and are taking a strategic approach to compliance. In fact, companies that were fully PCI compliant had fewer breaches than those that were not compliant. However, the majority (73%) of respondents have achieved PCI compliance using a basic, checklist approach.
Business Recommendations
To coincide with the October 31st deadline for input on changing PCI-DSS standards, Imperva is providing recommendations to consumers, businesses and the PCI DSS Council.
- Use PCI to bring about a broader, more effective security program.
- Use PCI as a way to get senior management aware of and involved in IT security. PCI creates a business case that is tightly coupled to information security.
- Assign a clear champion who owns and drives PCI as well as security that is strongly empowered to direct numerous teams for support. Without a clear champion, security and compliance will suffer.
The survey also found that companies taking a strategic approach to PCI compliance have fewer data breaches. Based on these findings, Imperva is making specific recommendations to businesses to improve the safety of consumers' personal information.
The PCI DSS standard was put into effect to provide security guidelines to all businesses that handle credit card information to better protect consumers. Since it was enacted in June 2005, the number of data breaches and amount of credit card fraud has continued to rise.
According to the survey of more than 500 U.S. and multinational IT security practitioners at companies with an average of $5.6 billion in annual revenue:
- 71% of respondents do not treat PCI as a strategic initiative, yet 79 percent have experienced a data breach involving the loss or theft of credit card information.
- 55% of respondents focus only on credit card data protection and do not attempt to secure sensitive information such as Social Security numbers, driver's license numbers, bank account details and other data about people and families.
- 60% of respondents don't think they have sufficient resources to comply with PCI and bring about a necessary level of cardholder security.
Smaller Businesses Struggle the Most
The survey found that only 28% of smaller companies (501-1000 employees) comply with PCI as opposed to 70% of larger companies (75,000 or more employees).
"The PCI Security Standards and the card brands must update the PCI-DSS so that it's risk-based, depending on the system configuration of the complying company. The 'one size fits all' approach of the current standard imposes unreasonable requirements on many companies that have simple networks, or have implemented security technologies that aren't included in the PCI standards, but provide equal or greater levels of protection," said Avivah Litan, Vice President and Analyst with Gartner Research in a May 2009 report, ââ€å¡Â¬Ã€¦â‚¬å“Moving Beyond PCI at Visa's Global Security Summit."
Companies that take a strategic approach to PCI compliance have fewer data breaches
The PCI DSS standard has the potential to make a powerful impact to corporate IT security initiatives. The survey shows that 27% of companies believe that PCI-DSS compliance is positively contributing to their organizations' security posture and are taking a strategic approach to compliance. In fact, companies that were fully PCI compliant had fewer breaches than those that were not compliant. However, the majority (73%) of respondents have achieved PCI compliance using a basic, checklist approach.
Business Recommendations
To coincide with the October 31st deadline for input on changing PCI-DSS standards, Imperva is providing recommendations to consumers, businesses and the PCI DSS Council.
- Use PCI to bring about a broader, more effective security program.
- Use PCI as a way to get senior management aware of and involved in IT security. PCI creates a business case that is tightly coupled to information security.
- Assign a clear champion who owns and drives PCI as well as security that is strongly empowered to direct numerous teams for support. Without a clear champion, security and compliance will suffer.